Below are some of the questions collated for easy reference of CISA aspirants. Please note that these questions are easily available from the net and collated domain-wise for easy reference.
CISA Question Bank-3
1. Which of the following is critical to the selection and acquisition of the correct operating
system software?
A. Competitive bids
B. User department approval
C. Hardware configuration analysis
D. Purchasing department approval
The correct answer is:
C. Hardware configuration analysis
Explanation:
The purchase of operating system software is dependent on the fact that the software is
compatible with the existing hardware. Choices A and D, although important, are not as
important as choice C. Users do not normally approve the acquisition of operating systems
software.
..........................................................................................................
2. A single digitally signed instruction was given to a financial institution to credit a
customer's account. The financial institution received the instruction three times and
credited the account three times. Which of the following would be the MOST appropriate
control against such multiple credits?
A. Encrypting the hash of the payment instruction with the public key of the financial
institution
B. Affixing a time stamp to the instruction and using it to check for duplicate payments
C. Encrypting the hash of the payment instruction with the private key of the instructor
D. Affixing a time stamp to the hash of the instruction before having it digitally signed by
the instructor
The correct answer is:
B. Affixing a time stamp to the instruction and using it to check for duplicate payments
Explanation:
Affixing a time stamp to the instruction and using it to check for duplicate payments makes the
instruction unique. The financial institution can check that the instruction was not intercepted
and replayed, and thus, it could prevent crediting the account three times. Encrypting the hash of
the payment instruction with the public key of the financial institution does not protect replay, it
only protects confidentiality and integrity of the instruction. Encrypting the hash of the payment
instruction with the private key of the instructor ensures integrity of the instruction and
nonrepudiation of the issued instruction. The process of creating a message digest requires
applying a cryptographic hashing algorithm to the entire message. The receiver, upon decrypting
the message digest, will recompute the hash using the same hashing algorithm and compare the
result with what was sent. Hence, affixing a time stamp into the hash of the instruction before
being digitally signed by the instructor would violate the integrity requirements of a digital
signature.
..........................................................................................................
3. Assumptions while planning an IS project involve a high degree of risk because they are:
A. based on known constraints.
B. based on objective past data.
C. a result of a lack of information.
D. often made by unqualified people.
The correct answer is:
C. a result of a lack of information.
Explanation:
Assumptions are made when adequate information is not available. When an IS project manager
makes an assumption, there is a high degree of risk because the lack of proper information can
cause unexpected loss to an IS project. Assumptions are not based on "known" constraints. When
constraints are known in advance, a project manager can plan according to those constraints
rather than assuming the constraints will not affect the project. Having objective data about past
IS projects will not lead to making assumptions, but rather helps the IS project manager in
planning the project. Hence, if objective past data are available and the project manager makes
use of them, the risk to the project is less. Regardless of whether they are made by qualified
people or unqualified people, assumptions are risky.
..........................................................................................................
4. An existing system is being extensively enhanced by extracting and reusing design and
program components. This is an example of:
A. reverse engineering.
B. prototyping.
C. software reuse.
D. reengineering.
The correct answer is:
D. reengineering.
Explanation:
Old (legacy) systems that have been corrected, adapted and enhanced extensively require
reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new
technologies into existing systems. Using program language statements, reverse engineering
involves reversing a program's machine code into the source code in which it was written to
identify malicious content in a program, such as a virus, or to adapt a program written for use
with one processor for use with a differently designed processor. Prototyping is the development
of a system through controlled trial and error. Software reuse is the process of planning,
analyzing and using previously developed software components. The reusable components are
integrated into the current software product systematically.
..........................................................................................................
5. When implementing an acquired system in a client-server environment, which of the
following tests would confirm that the modifications in the Windows registry do not
adversely impact the desktop environment?
A. Sociability testing
B. Parallel testing
C. White box testing
D. Validation testing
The correct answer is:
A. Sociability testing
Explanation:
When implementing an acquired system in an client-server environment, sociability testing
would confirm that the system can operate in the target environment without adversely impacting
other systems. Parallel testing is the process of feeding test data to the old and new systems and
comparing the results. White box testing is based on a close examination of procedural details,
and validation testing tests the functionality of the system against the detailed requirements to
ensure that the software that has been built is traceable to customer requirements.
..........................................................................................................
6. Information for detecting unauthorized input from a terminal would be BEST provided
by the:
A. console log printout.
B. transaction journal.
C. automated suspense file listing.
D. user error report.
The correct answer is:
B. transaction journal.
Explanation:
The transaction journal would record all transaction activity, which then could be compared to
the authorized source documents to identify any unauthorized input. A console log printout is not
the best, because it would not record activity from a specific terminal. An automated suspense
file listing would only list transaction activity where an edit error occurred, and the user error
report would only list input that resulted in an edit error.
..........................................................................................................
7. The IS auditor finds that a system under development has 12 linked modules and each
item of data can carry up to 10 definable attribute fields. The system handles several
million transactions a year. Which of these techniques could the IS auditor use to estimate
the size of the development effort?
A. Program evaluation review technique (PERT)
B. Counting source lines of code (SLOC)
C. Function point analysis
D. White box testing
The correct answer is:
C. Function point analysis
Explanation:
Function point analysis is an indirect method of measuring the size of an application by
considering the number and complexity of its inputs, outputs and files. It is useful for evaluating
complex applications. PERT is a project management technique that helps with both planning
and control. SLOC gives a direct measure of program size, but does not allow for the complexity
that may be caused by having multiple, linked modules and a variety of inputs and outputs.
White box testing involves a detailed review of the behavior of program code, and is a quality
assurance technique suited to simpler applications during the design and build stage of
development.
..........................................................................................................
8. The editing/validation of data entered at a remote site would be performed MOST
effectively at the:
A. central processing site after running the application system.
B. central processing site during the running of the application system.
C. remote processing site after transmission of the data to the central processing site.
D. remote processing site prior to transmission of the data to the central processing site.
The correct answer is:
D. remote processing site prior to transmission of the data to the central processing site.
Explanation:
It is important that the data entered from a remote site is edited and validated prior to
transmission to the central processing site.
..........................................................................................................
9. Which of the following is the FIRST thing an IS auditor should do after the discovery of
a Trojan horse program in a computer system?
A. Investigate the author.
B. Remove any underlying threats.
C. Establish compensating controls.
D. Have the offending code removed.
The correct answer is:
D. Have the offending code removed.
Explanation:
The IS auditor's first duty is to prevent the Trojan horse from causing further damage. After
removing the offending code, follow up actions would include investigation and
recommendations (choices B and C).
..........................................................................................................
10. The GREATEST benefit in implementing an expert system is the:
A. capturing of the knowledge and experience of individuals in an organization.
B. sharing of knowledge in a central repository.
C. enhancement of personnel productivity and performance.
D. reduction of employee turnover in key departments.
The correct answer is:
A. capturing of the knowledge and experience of individuals in an organization.
Explanation:
The basis for an expert system is the capture and recording of the knowledge and experience of
individuals in an organization. Coding and entering the knowledge in a central repository,
shareable within the enterprise, is a means of facilitating the expert system. Enhancing personnel
productivity and performance is a benefit; however, it is not as important as capturing the
knowledge and experience. Employee turnover is not necessarily affected by an expert system.
..........................................................................................................
11. An IS auditor reviewing a proposed application software acquisition should ensure that
the:
A. operating system (OS) being used is compatible with the existing hardware platform.
B. planned OS updates have been scheduled to minimize negative impacts on company
needs.
C. OS has the latest versions and updates.
D. products are compatible with the current or planned OS.
The correct answer is:
D. products are compatible with the current or planned OS.
Explanation:
Choices A, B and C are incorrect because none of them is related to the area being audited. In
reviewing the proposed application the auditor should ensure that the products to be purchased
are compatible with the current or planned OS. Regarding choice A, if the OS is currently being
used, it is compatible with the existing hardware platform, because if it is not, it would not
operate properly. In choice B, the planned OS updates should be scheduled to minimize negative
impacts on the organization. For choice C, the installed OS should be equipped with the most
recent versions and updates (with sufficient history and stability).
..........................................................................................................
12. Which of the following is MOST likely to occur when a system development project is
in the middle of the programming/coding phase?
A. Unit tests
B. Stress tests
C. Regression tests
D. Acceptance tests
The correct answer is:
A. Unit tests
Explanation:
During the programming phase, the development team should have mechanisms in place to
ensure that coding is being developed to standard and is working correctly. Unit tests are key
elements of that process in that they ensure that individual programs are working correctly. They
would normally be supported by code reviews. Stress tests, regression tests and acceptance tests
would normally occur later in the development and testing phases. As part of the process of
assessing compliance with quality processes, IS auditors should verify that such reviews are
undertaken.
..........................................................................................................
13. An organization planning to purchase a software package asks the IS auditor for a risk
assessment. Which of the following is the MAJOR risk?
A. Unavailability of the source code
B. Lack of a vendor-quality certification
C. Absence of vendor/client references
D. Little vendor experience with the package
The correct answer is:
A. Unavailability of the source code
Explanation:
If the vendor goes out of business, not having the source code available would make it
impossible to update the (software) package. Lack of a vendor-quality certification, absence of
vendor/client references and little vendor experience with the package are important issues but
not critical.
..........................................................................................................
14. An IS auditor assigned to audit a reorganized process should FIRST review which of
the following?
A. A map of existing controls
B. Eliminated controls
C. Process charts
D. Compensating controls
The correct answer is:
C. Process charts
Explanation:
To ensure adequate control over the business process, the auditor should first review the flow
charts showing the before and after processes. The process charts aid in analyzing the changes in
the processes. The other choices—analyzing eliminated controls, ensuring that compensating
controls are in place and analyzing the existing controls—are incorrect as each, performed
individually, would not be as effective and all-encompassing as reviewing the process charts.
..........................................................................................................
15. The PRIMARY benefit of integrating total quality management (TQM) into a software
development project is:
A. comprehensive documentation.
B. on-time delivery.
C. cost control.
D. end-user satisfaction.
The correct answer is:
D. end-user satisfaction.
Explanation:
Quality is ultimately a measure of end-user satisfaction. If the end user is not satisfied, then the
product was not properly developed. Comprehensive documentation, on-time delivery and costs
are all secondary to end-user satisfaction.
..........................................................................................................
16. When reviewing the quality of an IS department's development process, the IS auditor
finds that he/she does not use any formal, documented methodology and standards. The IS
auditor's MOST appropriate action would be to:
A. complete the audit and report the finding.
B. investigate and recommend appropriate formal standards.
C. document the informal standards and test for compliance.
D. withdraw and recommend a further audit when standards are implemented.
The correct answer is:
C. document the informal standards and test for compliance.
Explanation:
The IS auditor's first concern would be to ensure that projects are consistently managed. Where it
is claimed that an internal standard exists, it is important to ensure that it is operated correctly,
even when this means documenting the claimed standards first. Merely reporting the issue as a
weakness and closing the audit without findings would not help the organization in any way and
investigating formal methodologies may be unnecessary if the existing, informal standards prove
to be adequate and effective.
..........................................................................................................
17. During unit testing, the test strategy applied is:
A. black box.
B. white box.
C. bottom-up.
D. top-down.
The correct answer is:
B. white box.
Explanation:
White box testing examines the internal structure of a module. A programmer should perform
this test for each module prior to integrating the module with others. Black box testing focuses
on the functional requirements and does not consider the control structure of the module.
Choices C and D are not correct because these tests require that several modules have already
been assembled and tested.
..........................................................................................................
18. A decision support system (DSS):
A. is aimed at solving highly structured problems.
B. combines the use of models with nontraditional data access and retrieval functions.
C. emphasizes flexibility in the decision-making approach of users.
D. supports only structured decision-making tasks.
The correct answer is:
C. emphasizes flexibility in the decision-making approach of users.
Explanation:
DSS emphasizes flexibility in the decision-making approach of users. It is aimed at solving lessstructured
problems, combines the use of models and analytic techniques with traditional data
access and retrieval functions, and supports semistructured decision-making tasks.
..........................................................................................................
19. Which of the following phases represents the optimum point for software baselining to
occur?
A. Testing
B. Design
C. Requirement
D. Development
The correct answer is:
B. Design
Explanation:
Software baselining is the cut-off point in the design and development of an application, beyond
which change should not occur without undergoing formal procedures for approval and should
be supported by a cost-benefit business impact analysis. The optimum point for software
baselining to occur is the design phase.
..........................................................................................................
20. A proposed transaction processing application will have many data capture sources and
outputs in paper and electronic form. To ensure that transactions are not lost during
processing, the IS auditor should recommend the inclusion of:
A. validation controls.
B. internal credibility checks.
C. clerical control procedures.
D. automated systems balancing.
The correct answer is:
D. automated systems balancing.
Explanation:
Automated systems balancing would be the best way to ensure that no transactions are lost as
any imbalance between total inputs and total outputs would be reported for investigation and
correction. Validation controls and internal credibility checks are certainly valid controls, but
will not detect and report lost transactions. In addition, although a clerical procedure could be
used to summarize and compare inputs and outputs, an automated process is less susceptible to
error.
..........................................................................................................
21. When auditing the conversion of an accounting system an IS auditor should verify the
existence of a:
A. control total check.
B. validation check.
C. completeness check.
D. limit check.
The correct answer is:
A. control total check.
Explanation:
Tallying a control total of all accounts before and after conversion will assure the IS auditor that
all amount data has been taken into the new system. Later one-to-one checking by users will
assure that all the data has been converted. The other choices are incorrect. Validation checks,
completeness checks and limit checks would be applied at the point at which the data are
originally entered into the accounting system.
..........................................................................................................
22. A debugging tool, which reports on the sequence of steps executed by a program, is
called a(n):
A. output analyzer.
B. memory dump.
C. compiler.
D. logic path monitor.
The correct answer is:
D. logic path monitor.
Explanation:
Logic path monitors report on the sequence of steps executed by a program. This provides the
programmer with clues to logic errors, if any, in the program. An output analyzer checks the
results of a program for accuracy by comparing the expected results with the actual results. A
memory dump provides a picture of the content of a computer's internal memory at any point in
time, often when the program is aborted, thus providing information on inconsistencies in data or
parameter values. Though compilers have some potential to provide feedback to a programmer,
they are not generally considered a debugging tool.
..........................................................................................................
23. Which of the following facilitates program maintenance?
A. More cohesive and loosely coupled programs
B. Less cohesive and loosely coupled programs
C. More cohesive and strongly coupled programs
D. Less cohesive and strongly coupled programs
The correct answer is:
A. More cohesive and loosely coupled programs
Explanation:
Cohesion refers to the performance of a single, dedicated function by each program. Coupling
refers to the independence of the comparable units. Loosely coupled units, when the program
code is changed, will reduce the probability of affecting other program units. More cohesive and
loosely coupled units are best for maintenance.
..........................................................................................................
24. Which of the following ensures completeness and accuracy of accumulated data?
A. Processing control procedures
B. Data file control procedures
C. Output controls
D. Application controls
The correct answer is:
A. Processing control procedures
Explanation:
Processing controls ensure the completeness and accuracy of accumulated data, for example,
editing and run-to-run totals. Data file control procedures ensure that only authorized processing
occurs to stored data, for example, transaction logs. Output controls ensure that data delivered to
users will be presented, formatted and delivered in a consistent and secure manner, for example,
using report distribution. "Application controls" is a general term comprising all kinds of
controls used in an application.
..........................................................................................................
25. The MAJOR concern for an IS auditor reviewing a CASE environment should be that
the use of CASE does not automatically:
A. result in a correct capture of requirements.
B. ensure that desirable application controls have been implemented.
C. produce ergonomic and user-friendly interfaces.
D. generate efficient code.
The correct answer is:
A. result in a correct capture of requirements.
Explanation:
The principal concern should be to ensure an alignment of the application with business needs
and user requirements. While the CASE being used may provide tools to cover this crucial initial
phase, a cooperative user-analyst interaction is always needed. Choice B should be the next
concern. If the system meets business needs and user requirements, it should also incorporate all
desirable controls. Controls have to be specified since CASE can only automatically incorporate
certain, rather low-level, controls (such as type of input data, e.g., date, expected). CASE will not
(choice C) automatically generate ergonomic and user-friendly interfaces, but it should provide
tools for easy (and automatically documented) tuning. CASE applications (choice D) generally
come short of optimizing the use of hardware and software resources, precisely because they are
designed to optimize other elements, such as developers' effort or documentation.
..........................................................................................................
26. The MOST likely explanation for the use of applets in an Internet application is that:
A. it is sent over the network from the server.
B. the server does not run the program and the output is not sent over the network.
C. they improve the performance of the web server and network.
D. it is a JAVA program downloaded through the web browser and executed by the web
server of the client machine.
The correct answer is:
C. they improve the performance of the web server and network.
Explanation:
An applet is a JAVA program that is sent over the network from the web server, through a web
browser, to the client machine. Then the code is run on the machine. Since the server does not
run the program and the output is not sent over the network, the performance on the web server
and network, over which the server and client are connected, drastically improves through the
use of applets. Performance improvement is more important than the reasons offered in choices
A and B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet
download through the web browser runs on the client machine from the web browser, not from
the web server, making choice D incorrect.
..........................................................................................................
27. Ideally, stress testing should be carried out in a:
A. test environment using test data.
B. production environment using live workloads.
C. test environment using live workloads.
D. production environment using test data.
The correct answer is:
C. test environment using live workloads.
Explanation:
Stress testing is carried out to ensure a system can cope with production workloads. A test
environment should always be used to avoid damaging the production environment. Hence,
testing should never take place in a production environment (choices B and D), and if only test
data is used, there is no certainty that the system was stress tested adequately.
..........................................................................................................
28. Good quality software is BEST achieved:
A. through thorough testing.
B. by finding and quickly correcting programming errors.
C. by determining the amount of testing using the available time and budget.
D. by applying well-defined processes and structured reviews throughout the project.
The correct answer is:
D. by applying well-defined processes and structured reviews throughout the project.
Explanation:
Testing can point to quality deficiencies, However, it cannot by itself fix them. Corrective action
at this point in the project is expensive. While it is necessary to detect and correct program
errors, the bigger return comes from detecting defects as they occur in upstream phases, such as
requirements and design. Choice C is representative of the most common mistake when applying
quality management to a software project. It is seen as overhead, instead early removal of defects
has a substantial payback. Rework is actually the largest cost driver on most software projects.
Choice D represents the core of achieving quality, that is, following a well-defined, consistent
process and effectively reviewing key deliverables.
..........................................................................................................
29. A company undertakes a business process reengineering (BPR) project in support of a
new and direct marketing approach to its customers. Which of the following would be the
IS auditor's main concern about the new process?
A. Are key controls in place to protect assets and information resources?
B. Does it address the corporate customer requirements?
C. Does the system meet the performance goals (time and resources)?
D. Have owners been identified who will be responsible for the process?
The correct answer is:
A. Are key controls in place to protect assets and information resources?
Explanation:
The audit team must advocate the inclusion of the key controls and verify that the controls are in
place before implementing the new process. Choices B, C and D are objectives that the BPR
process should achieve, but they are not the auditor's primary concern.
..........................................................................................................
30. A company has contracted with an external consulting firm to implement a commercial
financial system to replace its existing in-house-developed system. In reviewing the
proposed development approach, which of the following would be of GREATEST concern?
A. Acceptance testing is to be managed by users.
B. A quality plan is not part of the contracted deliverables.
C. Not all business functions will be available on initial implementation.
D. Prototyping is being used to confirm that the system meets business requirements.
The correct answer is:
B. A quality plan is not part of the contracted deliverables.
Explanation:
A quality plan is an essential element of all projects. It is critical that the contracted supplier be
required to produce such a plan. The quality plan for the proposed development contract should
be comprehensive and encompass all phases of the development and include which business
functions will be included and when. Acceptance is normally managed by the user area, since
they must be satisfied that the new system will meet their requirements. If the system is large, a
phased-in approach to implementing the application is a reasonable approach. Prototyping is a
valid method of ensuring that the system will meet business requirements.
..........................................................................................................
31. The use of a GANTT chart can:
A. aid in scheduling project tasks.
B. determine project checkpoints.
C. ensure documentation standards.
D. direct the postimplementation review.
The correct answer is:
A. aid in scheduling project tasks.
Explanation:
A GANTT chart is used in project control. It may aid in the identification of needed checkpoints,
but its primary use is in scheduling. It will not ensure the completion of documentation nor will it
provide direction for the postimplementation review.
..........................................................................................................
32. Using test data as part of a comprehensive test of program controls in a continuous
online manner is called a(n):
A. test data/deck.
B. base-case system evaluation.
C. integrated test facility (ITF).
D. parallel simulation.
The correct answer is:
B. base-case system evaluation.
Explanation:
A base-case system evaluation uses test data sets developed as part of comprehensive testing
programs. It is used to verify correct systems operations before acceptance, as well as periodic
validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious
files in the database with test transactions processed simultaneously with live input. Parallel
simulation is the production of data processed using computer programs that simulate application
program logic.
..........................................................................................................
33. Testing the connection of two or more system components that pass information from
one area to another is:
A. pilot testing.
B. parallel testing
C. interface testing.
D. regression testing.
The correct answer is:
C. interface testing.
Explanation:
Interface testing is a hardware or software test that evaluates the connection of two or more
components that pass information from one area to another. Pilot testing is a preliminary test that
focuses on specific and predetermined aspects of a system and is not meant to replace other
methods. Parallel testing is the process of feeding test data into two systems—the modified
system and an alternative system—and comparing the results. Regression testing is the process
of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have
not introduced new errors. The data used in regression testing is the same as the data used in the
original test.
..........................................................................................................
34. Regression testing is the process of testing a program to determine if:
A. the new code contains errors.
B. discrepancies exist between functional specifications and performance.
C. new requirements have been met.
D. changes have introduced any errors in the unchanged code.
The correct answer is:
D. changes have introduced any errors in the unchanged code.
Explanation:
Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure
that changes or corrections have not introduced new errors. The data used in regression testing
should be the same as the data used in the original test. Unit testing is used to determine if a new
code contains errors or does not meet requirements.
..........................................................................................................
35. Which of the following groups/individuals should assume overall direction and
responsibility for costs and timetables of system development projects?
A. User management
B. Project steering committee
C. Senior management
D. Systems development management
The correct answer is:
B. Project steering committee
Explanation:
The project steering committee is ultimately responsible for all costs and timetables. User
management assumes ownership of the project and the resulting system. Senior management
commits to the project and approves the resources necessary to complete the project. System
development management provides technical support for the hardware and software
environments by developing, installing and operating the requested system.
..........................................................................................................
36. The difference between white box testing and black box testing is that white box testing:
A. involves the IS auditor.
B. is performed by an independent programmer team.
C. examines a program's internal logical structure.
D. uses the bottom-up approach.
The correct answer is:
C. examines a program's internal logical structure.
Explanation:
Black box testing observes a system's external behavior, while white box testing is a detailed
exam of a logical path, checking the possible conditions. The IS auditor need not be involved in
either testing method. The bottom-up approach can be used in both tests. White box testing
requires knowledge of the internals of the program or the module to be implemented/tested.
Black box testing requires that the functionality of the program be known. The independent
programmer team would not be aware of the application of a program in which they have not
been involved; hence, the independent programmer team cannot provide any assistance in either
of these testing approaches.
..........................................................................................................
37. An IS auditor reviewing a project, where quality is a major concern, should use the
project management triangle to explain that a(n):
A. increase in quality can be achieved, even if resource allocation is decreased.
B. increase in quality is only achieved, if resource allocation is increased.
C. decrease in delivery time can be achieved, even if resource allocation is decreased.
D. decrease in delivery time can only be achieved, if quality is decreased.
The correct answer is:
A. increase in quality can be achieved, even if resource allocation is decreased.
Explanation:
The three primary dimensions of a project are determined by the deliverables, the allocated
resources and the delivery time. The area of the project management triangle, comprised of these
three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might
be compensated by changing either one or both remaining dimensions. Thus, if resource
allocation is decreased an increase in quality can be achieved, if a delay in the delivery time of
the project will be accepted. The area of the triangle always remains constant.
..........................................................................................................
38. Which of the following integrity tests examines the accuracy, completeness, consistency
and authorization of data?
A. Data
B. Relational
C. Domain
D. Referential
The correct answer is:
A. Data
Explanation:
Data integrity testing examines the accuracy, completeness, consistency and authorization of
data. Relational integrity testing detects modification to sensitive data by the use of control
totals. Domain integrity testing verifies that data conforms to specifications. Referential integrity
testing ensures that data exists in its parent or original file before it exists in the child or another
file.
..........................................................................................................
39. Which of the following is MOST effective in controlling application maintenance?
A. Informing users of the status of changes
B. Establishing priorities on program changes
C. Obtaining user approval of program changes
D. Requiring documented user specifications for changes
The correct answer is:
C. Obtaining user approval of program changes
Explanation:
User approvals of program changes will ensure that changes are correct as specified by the user
and that they are authorized. Therefore, erroneous or unauthorized changes are less likely to
occur, minimizing system downtime and errors.
..........................................................................................................
40. Which of the following groups should assume ownership of a systems development
project and the resulting system?
A. User management
B. Senior management
C. Project steering committee
D. Systems development management
The correct answer is:
A. User management
Explanation:
User management assumes ownership of the project and resulting system. They should review
and approve deliverables as they are defined and accomplished. Senior management approves
the project and the resources needed to complete it. The project steering committee provides
overall direction and is responsible for monitoring costs and timetables. Systems development
management provides technical support.
..........................................................................................................
41. To make an electronic funds transfer (EFT), one employee enters the amount field and
another employee reenters the same data again, before the money is transferred. The
control adopted by the organization in this case is:
A. sequence check.
B. key verification.
C. check digit.
D. completeness check.
The correct answer is:
B. key verification.
Explanation:
Key verification is a process in which keying-in is repeated by a separate individual using a
machine that compares the original entry to the repeated entry. Sequence check refers to the
continuity in serial numbers within the number range on documents. A check digit is a numeric
value that has been calculated mathematically and added to data to ensure that the original data
have not been altered or an incorrect, but valid, value substituted. Completeness checks ensure
that all the characters required for a field have been input.
..........................................................................................................
42. An IS auditor is told by IS management that the organization has recently reached the
highest level of the software capability maturity model (CMM). The software quality
process MOST recently added by the organization is:
A. continuous improvement.
B. quantitative quality goals.
C. a documented process.
D. a process tailored to specific projects.
The correct answer is:
A. continuous improvement.
Explanation:
An organization would have reached the highest level of the software CMM at level 5,
optimizing. Quantitative quality goals can be reached at level 4 and below, a documented process
is executed at level 3 and below, and a process tailored to specific projects can be achieved at
level 3 or below.
..........................................................................................................
43. The use of fourth-generation languages (4GLs) should be weighed carefully against
using traditional languages, because 4GLs:
A. can lack the lower-level detail commands necessary to perform data intensive
operations.
B. cannot be implemented on both the mainframe processors and microcomputers.
C. generally contain complex language subsets that must be used by skilled users.
D. cannot access database records and produce complex online outputs.
The correct answer is:
A. can lack the lower-level detail commands necessary to perform data intensive
operations.
Explanation:
All of the answers are advantages of using 4GLs except that they can lack the lower-level detail
commands necessary to perform data intensive operations. These operations are usually required
when developing major applications.
..........................................................................................................
44. During the development of an application, the quality assurance testing and user
acceptance testing were combined. The MAJOR concern for an IS auditor reviewing the
project is that there will be:
A. increased maintenance.
B. improper documentation of testing.
C. inadequate functional testing.
D. delays in problem resolution.
The correct answer is:
C. inadequate functional testing.
Explanation:
The major risk of combining quality assurance testing and user acceptance testing is that
functional testing may be inadequate. Choices A, B and D are not as important.
..........................................................................................................
45. An organization has contracted with a vendor for a turnkey solution for their electronic
toll collection system (ETCS). The vendor has provided its proprietary application software
as part of the solution. The contract should require that:
A. a backup server be available to run ETCS operations with up-to-date data.
B. a backup server be loaded with all the relevant software and data.
C. the systems staff of the organization be trained to handle any event.
D. source code of the ETCS application be placed in escrow.
The correct answer is:
D. source code of the ETCS application be placed in escrow.
Explanation:
Whenever proprietary application software is purchased, the contract should provide for a source
code agreement. This will ensure that the purchasing company will have the opportunity to
modify the software should the vendor cease to be in business. Having a backup server with
current data and staff training is critical but not as critical as ensuring the availability of the
source code.
..........................................................................................................
46. Which of the following is a dynamic analysis tool for the purpose of testing software
modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
The correct answer is:
A. Black box test
Explanation:
A black box test is a dynamic analysis tool for testing software modules. During the testing of
software modules a black box test works first in a cohesive manner as a single unit/entity
consisting of numerous modules, and second with the user data that flows across software
modules. In some cases, this even drives the software behavior. In choices B, C and D, the
software (design or code) remains static and somebody closely examines it by applying his/her
mind, without actually activating the software. Hence, these cannot be referred to as dynamic
analysis tools.
..........................................................................................................
47. The impact of EDI on internal controls will be:
A. that fewer opportunities for review and authorization will exist.
B. an inherent authentication.
C. a proper distribution of EDI transactions while in the possession of third parties.
D. that IPF management will have increased responsibilities over data center controls.
The correct answer is:
A. that fewer opportunities for review and authorization will exist.
Explanation:
EDI promotes a more efficient paperless environment, but at the same time, less human
intervention makes it more difficult for reviewing and authorizing. Choice B is incorrect; since
the interaction between parties is electronic, there is no inherent authentication occurring.
Computerized data can look the same no matter what the source and does not include any
distinguishing human element or signature. Choice C is incorrect because this is a security risk
associated with EDI. Choice D is incorrect because there are relatively few, if any, additional
data center controls associated with the implementation of EDI applications. Instead, more
control will need to be exercised by the user's application system to replace manual controls,
such as site reviews of documents. More emphasis will need to be placed on control over data
transmission (network management controls).
..........................................................................................................
48. Which of the following tasks occurs during the research stage of the benchmarking
process?
A. Critical processes are identified.
B. Benchmarking partners are visited.
C. Findings are translated into core principles.
D. Benchmarking partners are identified.
The correct answer is:
D. Benchmarking partners are identified.
Explanation:
During the research stage, the team collects data and identifies the benchmarking partners. In the
planning stage, the team identifies the critical processes to be benchmarked. Visiting the
benchmarking partners is performed in the observation stage. Translating the findings into core
principles is performed during the adaptation stage.
..........................................................................................................
49. Which of the following would be a risk specifically associated with the agile
development process?
A. Lack of documentation
B. Lack of testing
C. Poor requirements definition
D. Poor project management practices
The correct answer is:
A. Lack of documentation
Explanation:
Agile development relies on knowledge held by people within the organization, as opposed to
external knowledge. The main issue is the necessity for providing compensating controls to
ensure that changes and enhancements to the system can be made later on, even if the key
personnel who know the implemented business logic leave the company. Lack of testing might
be an issue but without formal documentation it is difficult for an auditor to gather objective
evidence. Rapid response to changing requirements is one strength of the agile development
processes. Replanning the project at the end of each iteration, including reprioritizing
requirements, identifying any new requirements and determining in which release delivered
functionality is to be implemented, is a main aspect of the agile process. Applied project
management practices are slightly different than those required for traditional methods of
software development. The project manager's role. This role shifts from one primarily concerned
with planning the project, allocating tasks and monitoring progress, to that of a facilitator and
advocate. Responsibility for planning and control shifts to the team members.
..........................................................................................................
50. An IS auditor evaluating data integrity in a transaction-driven system environment
should review atomicity to determine whether:
A. the database survives failures (hardware or software).
B. each transaction is separated from other transactions.
C. integrity conditions are maintained.
D. a transaction is completed or a database is updated.
The correct answer is:
D. a transaction is completed or a database is updated.
Explanation:
This concept is included in the atomicity, completeness, isolation and durability (ACID)
principle. Durability means that the database survives failures (hardware or software). Isolation
means that each transaction is separated from other transactions. Consistency means that
integrity conditions are maintained.
..........................................................................................................
51. In an electronic fund transfer (EFT) system, which of the following controls would be
useful in detecting a duplication of messages?
A. Message authentication code
B. Digital signature
C. Authorization sequence number
D. Segregation of authorization
The correct answer is:
C. Authorization sequence number
Explanation:
All of these controls are necessary in an EFT system; however, the authorization sequence
number is the control that will detect the duplication of a message. A message authentication
code detects unauthorized modifications, a digital signature ensures nonrepudiation, and the
segregation of the creation of the message and the authorization will avoid dummy messages.
..........................................................................................................
52. The request for proposal (RFP) for the acquisition of an application system would
MOST likely be approved by the:
A. project steering committee.
B. project sponsor.
C. project manager.
D. user project team.
The correct answer is:
A. project steering committee.
Explanation:
A project steering committee usually consists of a senior representative from each function that
will be affected by the new system and would be the most appropriate group to approve the RFP.
The project sponsor provides funding for the project. The project manager and user project team
are responsible for drafting the RFP.
..........................................................................................................
53. Which of the following types of testing would determine whether a new or modified
system can operate in its target environment without adversely impacting other existing
systems?
A. Parallel testing
B. Pilot testing
C. Interface/integration testing
D. Sociability testing
The correct answer is:
D. Sociability testing
Explanation:
The purpose of sociability testing is to confirm that a new or modified system can operate in its
target environment without adversely impacting existing systems. This should cover the platform
that will perform primary application processing and interfaces with other systems, as well as
changes to the desktop in a client-server or web development. Parallel testing is the process of
feeding data into two systems—the modified system and an alternate system—and comparing
the results. In this approach, the old and new systems operate concurrently for a period of time
and perform the same processing functions. Pilot testing takes place first at one location and is
then extended to other locations. The purpose is to see if the new system operates satisfactorily
in one place before implementing it at other locations. Interface/integration testing is a hardware
or software test that evaluates the connection of two or more components that pass information
from one area to another. The objective is to take unit-tested modules and build an integrated
structure.
..........................................................................................................
54. An IS auditor recommends that an initial validation control be programmed into a
credit card transaction capture application. The initial validation process would MOST
likely:
A. check to ensure that the type of transaction is valid for the card type.
B. verify the format of the number entered then locate it on the database.
C. ensure that the transaction entered is within the cardholder's credit limit.
D. confirm that the card is not shown as lost or stolen on the master file.
The correct answer is:
B. verify the format of the number entered then locate it on the database.
Explanation:
The initial validation should confirm whether the card is valid. This validity is established
through the card number and PIN entered by the user. Based on this initial validation, all other
validations will proceed. A validation control in data capture will ensure that the data entered is
valid (i.e., it can be processed by the system). If the data captured in the initial validation is not
valid (if the card number or PIN do not match with the database), then the card will be rejected
or captured per the controls in place. Once initial validation is completed, then other validations
specific to the card and cardholder would be performed.
..........................................................................................................
55. The GREATEST advantage of rapid application development (RAD) over the
traditional system development life cycle (SDLC) is that it:
A. facilitates user involvement.
B. allows early testing of technical features.
C. facilitates conversion to the new system.
D. shortens the development time frame.
The correct answer is:
D. shortens the development time frame.
Explanation:
The greatest advantage of RAD is the shorter time frame for the development of a system.
Choices A and B are true, but they are also true for the traditional systems development life
cycle. Choice C is not necessarily always true.
..........................................................................................................
56. A distinguishing feature of fourth-generation languages (4GLs) is portability, which
means?
A. Environmental independence
B. Workbench concepts (i.e., temporary storage, test editing, etc.)
C. Ability to design screen formats and develop graphical outputs
D. Ability to execute online operations
The correct answer is:
A. Environmental independence
Explanation:
Portability describes the ability of 4GLs to execute across computer architectures, operating
systems, mainframe processors and personal computers. Choices B, C and D are other attributes
of 4GLs.
..........................................................................................................
57. Which of the following is a characteristic of timebox management? It:
A. is not suitable for prototyping or rapid application development (RAD).
B. eliminates the need for a quality process.
C. prevents cost overruns and delivery delays.
D. separates system and user acceptance testing.
The correct answer is:
C. prevents cost overruns and delivery delays.
Explanation:
Timebox management, by its nature, sets specific time and cost boundaries. It is very suitable for
prototyping and RAD, and integrates system and user acceptance testing, but does not eliminate
the need for a quality process.
..........................................................................................................
58. Which of the following represents the GREATEST potential risk in an EDI
environment?
A. Transaction authorization
B. Loss or duplication of EDI transmissions
C. Transmission delay
D. Deletion or manipulation of transactions prior to or after establishment of application
controls
The correct answer is:
A. Transaction authorization
Explanation:
Since the interaction between parties is electronic, there is no inherent authentication occurring;
therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks,
but the impact is not as great as that of unauthorized transactions. Transmission delays may
terminate the process or hold the line until the normal time for processing has elapsed; however,
there will be no loss of data.
..........................................................................................................
59. When assessing the portability of a database application, the IS auditor should verify
that:
A. a structured query language (SQL) is used.
B. information import and export procedures exist with other systems.
C. indexes are used.
D. all entities have a significant name and identified primary and foreign keys.
The correct answer is:
A. a structured query language (SQL) is used.
Explanation:
The use of an SQL is a key element for database portability. Import and export of information
with other systems is an objective of a database interfaces review. The use of an index is an
objective of a database access review, and the fact that all entities have a significant name and
identified primary and foreign keys is an objective of a database design review.
..........................................................................................................
60. Which of the following types of controls is designed to provide the ability to verify data
and record values through the stages of application processing?
A. Range checks
B. Run-to-run totals
C. Limit checks on calculated amounts
D. Exception reports
The correct answer is:
B. Run-to-run totals
Explanation:
Run-to-run totals provide the ability to verify data values through the stages of application
processing. Run-to-run total verification ensures that data read into the computer were accepted
and then applied to the updating process.
..........................................................................................................
61. During an application audit, the IS auditor finds several problems related to corrupted
data in the database. Which of the following is a corrective control that the IS auditor
should recommend?
A. Implement data backup and recovery procedures.
B. Define standards and closely monitor for compliance.
C. Ensure that only authorized personnel can update the database.
D. Establish controls to handle concurrent access problems.
The correct answer is:
A. Implement data backup and recovery procedures.
Explanation:
Implementing data backup and recovery procedure is a corrective control, because backup and
recovery procedures can be used to roll back database errors. Defining or establishing standards
is a preventive control, and monitoring for compliance is a detective control. Ensuring that only
authorized personnel can update the database is a preventive control. Establishing controls to
handle concurrent access problems is a preventive control.
..........................................................................................................
62. A manufacturing firm wants to automate its invoice payment system. Objectives state
that the system should require considerably less time for review and authorization and the
system should be capable of identifying errors that require follow up. Which of the
following would BEST meet these objectives?
A. Establishing an inter-networked system of client servers with suppliers for increased
efficiencies
B. Outsourcing the function to a firm specializing in automated payments and accounts
receivable/invoice processing
C. Establishing an EDI system of electronic business documents and transactions with key
suppliers, computer to computer, in a standard format
D. Reengineering the existing processing and redesigning the existing system
The correct answer is:
C. Establishing an EDI system of electronic business documents and transactions with key
suppliers, computer to computer, in a standard format
Explanation:
EDI is the best answer. Properly implemented (e.g., agreements with trading partners transaction
standards, controls over network security mechanisms in conjunction with application controls)
EDI is best suited to identify and follow up on errors more quickly, given reduced opportunities
for review and authorization.
..........................................................................................................
63. Which of the following is the GREATEST risk when implementing a data warehouse?
A. Increased response time on the production systems
B. Access controls that are not adequate to prevent data modification
C. Data duplication
D. Data that is not updated or current
The correct answer is:
B. Access controls that are not adequate to prevent data modification
Explanation:
Once the data is in a warehouse, no modifications should be made to it and access controls
should be in place to prevent data modification. Increased response time on the production
systems is not a risk, because a data warehouse does not impact production data. Based on data
replication, data duplication is inherent in a data warehouse. Transformation of data from
operational systems to a data warehouse is done at predefined intervals, and as such, data may
not be current.
..........................................................................................................
64. A financial institution is using an expert system for managing credit limits. An IS
auditor reviewing the system should be MOST concerned with the:
A. validation of data inputs into the system.
B. level of experience and skills contained in the knowledge base.
C. access control settings.
D. implemented processing controls.
The correct answer is:
B. level of experience and skills contained in the knowledge base.
Explanation:
The level of experience or intelligence in the knowledge base is a key concern for the IS auditor,
as decision errors based on a lack of knowledge could have a severe impact on the organization.
Choices A, C and D are not as important as B.
..........................................................................................................
65. Which of the following is a strength of the program evaluation review technique
(PERT) over other techniques? PERT:
A. considers different scenarios for planning and control projects.
B. allows the user to input program and system parameters.
C. tests system maintenance processes accurately.
D. estimates costs of system projects.
The correct answer is:
A. considers different scenarios for planning and control projects.
Explanation:
PERT considers different scenarios for planning and controlling projects. Three time estimates—
optimistic, pessimistic and most likely—are used to create a level of uncertainty in the estimation
of the time for individual activities.
..........................................................................................................
66. During the review of a web-based software development project, the IS auditor realizes
that coding standards are not enforced and code reviews are rarely carried out. This will
MOST likely increase the likelihood of a successful:
A. buffer overflow.
B. brute force attack.
C. distributed denial-of-service attack.
D. war dialing attack.
The correct answer is:
A. buffer overflow.
Explanation:
Poorly written code, especially in web-based applications, is often exploited by hackers using
buffer overflow techniques. A brute-force attack is used to crack passwords. A distributed
denial-of-service attack floods its target with numerous packets, to prevent it from responding to
legitimate requests. War dialing uses modem-scanning tools to hack PBXs.
..........................................................................................................
67. When selecting software, which of the following business and technical issues is the
MOST important to be considered?
A. Vendor reputation
B. Requirements of the organization
C. Cost factors
D. An installed base
The correct answer is:
B. Requirements of the organization
Explanation:
Establishing the requirements of the organization is a task that should be completed early in the
process. Cost factors are a part of the analysis in the evaluation of software alternatives. A
vendor's reputation and the installed base become important only after the requirements are met.
..........................................................................................................
68. An advantage of using sanitized live transactions in test data is that:
A. all transaction types will be included.
B. every error condition is likely to be tested.
C. no special routines are required to assess the results.
D. test transactions are representative of live processing.
The correct answer is:
D. test transactions are representative of live processing.
Explanation:
Test data will be representative of live processing; however, it is unlikely that all transaction
types or error conditions will be tested in this way.
..........................................................................................................
69. To reduce the possibility of losing data during processing, the FIRST point at which
control totals should be implemented is:
A. during data preparation.
B. in transit to the computer.
C. between related computer runs.
D. during the return of the data to the user department.
The correct answer is:
A. during data preparation.
Explanation:
During data preparation is the best answer, because it establishes control at the earliest point.
..........................................................................................................
70. In a data warehouse, data quality is achieved by:
A. cleansing.
B. restructuring.
C. source data credibility.
D. transformation.
The correct answer is:
C. source data credibility.
Explanation:
In a data warehouse system, the quality of data depends on the quality of the originating source.
Choices A, B and D relate to the composition of a data warehouse and do not affect data quality.
Restructuring, transformation and cleansing all relate to reorganization of existing data within
the database.
..........................................................................................................
71. Which of the following is used to ensure that batch data is completely and accurately
transferred between two systems?
A. Control total
B. Check digit
C. Check sum
D. Control account
The correct answer is:
A. Control total
Explanation:
A control total is frequently used as an easily recalculated control. The number of invoices in a
batch or the value of invoices in a batch are examples of control totals. They provide a simple
way of following an audit trail from a general ledger summary item to an individual transaction,
and back. A check digit is a method of verifying the accuracy of a single data item, such as a
credit card number. Although a check sum is an excellent control over batch completeness and
accuracy, it is not easily recalculated and, therefore, is not as commonly used in financial
systems as a control total. Check sums are frequently used in data transfer as part of encryption
protocols. Control accounts are used in financial systems to ensure that components that
exchange summary information, such as a sales register and a general ledger, can be reconciled.
..........................................................................................................
72. A number of system failures are occurring when corrections to previously detected
errors are resubmitted for acceptance testing. This would indicate that the maintenance
team is probably not adequately performing which of the following types of testing?
A. Unit testing
B. Integration testing
C. Design walk-throughs
D. Configuration management
The correct answer is:
B. Integration testing
Explanation:
A common system maintenance problem is that errors are often corrected quickly (especially
when deadlines are tight); units are tested by the programmer and then transferred to the
acceptance test area; this often results in system problems that should have been detected during
integration or system testing. Integration testing aims at ensuring that the major components of
the system interface correctly.
..........................................................................................................
73. An IS auditor performing a review of the EFT operations of a retailing company would
verify that the customers credit limit is checked before funds are transferred by reviewing
the EFT:
A. system's interface.
B. switch facility.
C. personal identification number generating procedure.
D. operation backup procedures.
The correct answer is:
A. system's interface.
Explanation:
At the application processing level, the IS auditor should review the interface between the EFT
system and the application system that processes the accounts from which funds are transferred.
Choice B is incorrect because an EFT switch is the facility that provides the communication
linkage for all equipment in the network. Choices C and D are procedures that would not help
determine if the customer's credit limit is verified before the funds are transferred.
..........................................................................................................
74. The use of object-oriented design and development techniques would MOST likely:
A. facilitate the ability to reuse modules.
B. improve system performance.
C. enhance control effectiveness.
D. speed up the system development life cycle.
The correct answer is:
A. facilitate the ability to reuse modules.
Explanation:
One of the major benefits of object-oriented design and development is the ability to reuse
modules. The other options do not normally benefit from the object-oriented technique.
..........................................................................................................
75. A programmer included a routine into a payroll application to search for his/her own
payroll number. As a result, if this payroll number does not appear during the payroll run,
a routine will generate and place random numbers onto every paycheck. This routine is
known as:
A. scavenging.
B. data leakage.
C. piggybacking.
D. a Trojan horse.
The correct answer is:
D. a Trojan horse.
Explanation:
A Trojan horse is malicious code hidden in an authorized computer program. The hidden code
will be executed whenever the authorized program is executed. In this case, as long as the
perpetrator's payroll number is part of the payroll process nothing happens, but as soon as the
payroll number is gone havoc occurs.
..........................................................................................................
76. In an artificial intelligence system, access to which of the following components should
be strictly controlled?
A. Inference engine
B. Explanation module
C. Knowledge base
D. Data interface
The correct answer is:
C. Knowledge base
Explanation:
The knowledge base contains specific information or fact patterns associated with a particular
subject matter and the rules for interpreting these facts; therefore, strict access controls should be
implemented and monitored to ensure the integrity of the decision rules. The inference engine is
a program that uses the knowledge base and determines the most appropriate outcome based on
the information supplied by the user. The data interface enables the expert system to collect data
from nonhuman sources. For example, measurement instruments in a power plant and the
explanation module aid the user in addressing the problem to be analyzed and provides the
expert conclusion.
..........................................................................................................
77. During a postimplementation review, which of the following tools would an IS auditor
use to get the picture of the internal memory's content at different stages in the program
execution?
A. Memory dump
B. Logic path monitor
C. Trace utility
D. Output analyzer
The correct answer is:
C. Trace utility
Explanation:
A trace utility is used to get the picture of the internal memory's content at different stages in the
program execution to show the evolution of such things as counters and registers. Memory dump
is used to get the picture of the internal memory's content at one point in time, mainly produced
when the program is aborted. Logic path monitor reports on the sequence of events achieved by
the program, thus providing clues on logic errors. Output analyzers help check the results of
program execution for accuracy.
..........................................................................................................
78. Which of the following is the MOST critical and contributes the MOST to the quality of
data in a data warehouse?
A. Accuracy of the source data
B. Credibility of the data source
C. Accuracy of the extraction process
D. Accuracy of the data transformation
The correct answer is:
A. Accuracy of the source data
Explanation:
Accuracy of source data is a prerequisite for the quality of the data in a data warehouse.
Credibility of the data source is important, accurate extraction processes are important and
accurate transformation routines are important but would not change inaccurate data into quality
(accurate) data.
..........................................................................................................
79. Peer reviews to detect software errors during a program development activity are
called:
A. emulation techniques.
B. structured walk-throughs.
C. modular program techniques.
D. top-down program construction.
The correct answer is:
B. structured walk-throughs.
Explanation:
A structured walk-through is a management tool for improving productivity. Structured walkthroughs
can detect an incorrect or improper interpretation of the program specifications. This, in
turn, improves the quality of system testing and acceptance of it. The other choices are methods
or tools in the overall systems development process.
..........................................................................................................
80. A company has implemented a new client-server enterprise resource planning (ERP)
system. Local branches transmit customer orders to a central manufacturing facility.
Which of the following would BEST ensure that the orders are entered accurately and the
corresponding products are produced?
A. Verifying production to customer orders
B. Logging all customer orders in the ERP system
C. Using hash totals in the order transmitting process
D. Approving (production supervisor) orders prior to production
The correct answer is:
A. Verifying production to customer orders
Explanation:
Verification will ensure that production orders match customer orders. Logging can be used to
detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure
accurate order transmission, but not accurate processing centrally. Production supervisory
approval is a time-consuming, manual process that does not guarantee proper control.
..........................................................................................................
81. Once an organization has finished the business process reengineering (BPR) of all its
critical operations, the IS auditor would MOST likely focus on a review of:
A. pre-BPR process flowcharts.
B. post-BPR process flowcharts.
C. BPR project plans.
D. continuous improvement and monitoring plans.
The correct answer is:
B. post-BPR process flowcharts.
Explanation:
The IS auditor's task is to identify and ensure that key controls have been incorporated into the
reengineered process. Choice A is incorrect because an IS auditor must review the process as it is
today, not as it was in the past. Choices C and D are incorrect because they are steps within a
BPR project.
..........................................................................................................
82. The primary purpose of a system test is to:
A. test the generation of the designed control totals.
B. determine whether the documentation of the system is accurate.
C. evaluate the system functionally.
D. ensure that the system operators become familiar with the new system.
The correct answer is:
C. evaluate the system functionally.
Explanation:
The primary reason why a system is tested is to evaluate the entire system functionality.
..........................................................................................................
83. When auditing the proposed acquisition of a new computer system, the IS auditor
should FIRST establish that:
A. a clear business case has been approved by management.
B. corporate security standards will be met.
C. users will be involved in the implementation plan.
D. the new system will meet all required user functionality.
The correct answer is:
A. a clear business case has been approved by management.
Explanation:
The first concern of the IS auditor should be to establish that the proposal meets the needs of the
business, and this should be established by a clear business case. Although compliance with
security standards is essential, as are meeting the needs of the users and having users involved in
the implementation process, it is too early in the procurement process for these to be the IS
auditor's first concern.
..........................................................................................................
84. Which of the following is a check (control) for completeness?
A. Check digits
B. Parity bits
C. One-for-one checking
D. Prerecorded input
The correct answer is:
B. Parity bits
Explanation:
Parity bits are used to check for completeness of data transmissions. Choice A is incorrect
because check digits are a control check for accuracy. Choice C is incorrect because, in one-forone
checking, individual documents are matched to a detailed listing of documents processed by
the computer, but do not ensure that all documents have been received for processing. Choice D
(prerecorded input) is a data file control for which selected information fields are preprinted on
blank input forms to reduce the chance of input errors.
..........................................................................................................
85. The phases and deliverables of a system development life cycle (SDLC) project should
be determined:
A. during the initial planning stages of the project.
B. after early planning has been completed, but before work has begun.
C. through out the work stages, based on risks and exposures.
D. only after all risks and exposures have been identified and the IS auditor has
recommended appropriate controls.
The correct answer is:
A. during the initial planning stages of the project.
Explanation:
It is extremely important that the project be planned properly and that the specific phases and
deliverables be identified during the early stages of the project.
..........................................................................................................
86. Which of the following is MOST critical when creating data for testing the logic in a
new or modified application system?
A. A sufficient quantity of data for each test case
B. Data representing conditions that are expected in actual processing
C. Completing the test on schedule
D. A random sample of actual data
The correct answer is:
B. Data representing conditions that are expected in actual processing
Explanation:
Selecting the right kind of data is key in testing a computer system. The data should not only
include valid and invalid data but should be representative of actual processing. Quality is more
important than quantity. It is more important to have adequate test data than to complete the
testing on schedule. It is unlikely that a random sample of actual data would cover all test
conditions and provide a reasonable representation of actual data.
..........................................................................................................
87. An IS auditor's PRIMARY concern when application developers wish to use a copy of
yesterday's production transaction file for volume tests is that:
A. users may prefer to use contrived data for testing.
B. unauthorized access to sensitive data may result.
C. error handling and credibility checks may not be fully proven.
D. the full functionality of the new process may not necessarily be tested.
The correct answer is:
B. unauthorized access to sensitive data may result.
Explanation:
Unless the data are sanitized, there is a risk of disclosing sensitive data.
..........................................................................................................
88. When transmitting a payment instruction, which of the following will help verify that
the instruction was not duplicated?
A. Use of a cryptographic hashing algorithm
B. Enciphering the message digest
C. Deciphering the message digest
D. A sequence number and time stamp
The correct answer is:
D. A sequence number and time stamp
Explanation:
When transmitting data, a sequence number and/or time stamp built into the message to make it
unique can be checked by the recipient to ensure that the message was not intercepted and
replayed. This is known as replay protection and could be used to verify that a payment
instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire
message helps achieve data integrity. Enciphering the message digest using the sender's private
key, which signs the sender's digital signature to the document helps in authenticating the
transaction. When the message is deciphered by the receiver, using the sender's public key, it
ensures that the message could only have come from the sender. This process of sender
authentication achieves nonrepudiation.
..........................................................................................................
89. A tax calculation program maintains several hundred tax rates. The BEST control to
ensure that tax rates entered into the program are accurate is:
A. an independent review of the transaction listing.
B. a programmed edit check to prevent entry of invalid data.
C. programmed reasonableness checks with a 20 percent data entry range.
D. a visual verification of data entered by the processing department.
The correct answer is:
A. an independent review of the transaction listing.
Explanation:
Tax rates represent critical data that will be used in numerous calculations and should be
independently verified by someone other than the entry person before they are used in
processing. Choices B and C are programmed controls that are useful for preventing gross errors,
that is, errors such as an added zero or alpha instead of a numeric. A tax table must be 100
percent accurate, not just readable. Choice D will allow the data entry person to check input
accuracy, but it is not sufficient.
..........................................................................................................
90. Which of the following is often an advantage of using prototyping for systems
development?
A. The finished system will have adequate controls.
B. The system will have adequate security/audit trail.
C. It reduces time to deployment.
D. It is easy to achieve change control.
The correct answer is:
C. It reduces time to deployment.
Explanation:
Prototyping is the process of creating systems through controlled trial and error. This method of
system development can provide the organization with significant time and cost savings. By
focusing mainly on what the user wants and sees, developers may miss some of the controls that
come from the traditional systems development approach; therefore, a potential risk is that the
finished system will have poor controls. In prototyping, changes in the designs and requirements
occur quickly and are seldom documented or approved; hence, change control becomes more
complicated with prototyped systems.
..........................................................................................................
91. An organization has an integrated development environment (IDE) on which the
program libraries reside on the server, but modification/development and testing are done
from PC workstations. Which of the following would be a strength of an IDE?
A. Controls the proliferation of multiple versions of programs
B. Expands the programming resources and aids available
C. Increases program and processing integrity
D. Prevents valid changes from being overwritten by other changes
The correct answer is:
B. Expands the programming resources and aids available
Explanation:
A strength of an IDE is that it expands the programming resources and aids available. The other
choices are IDE weaknesses.
..........................................................................................................
92. Which of the following testing methods is MOST effective during the initial phases of
prototyping?
A. System
B. Parallel
C. Volume
D. Top-down
The correct answer is:
D. Top-down
Explanation:
Top-down testing starts with the system's major functions and works downward. The initial
emphasis when using prototyping is to create screens and reports, thus shaping most of the
proposed system's features in a short period. Volume and system testing is performed during
final system testing phases. Parallel testing is not necessarily needed, especially if there is no old
system with which to compare.
..........................................................................................................
93. As a business process reengineering (BPR) project takes hold it is expected that:
A. business priorities will remain stable.
B. information technologies will not change.
C. the process will improve product, service and profitability.
D. input from clients and customers will no longer be necessary.
The correct answer is:
C. the process will improve product, service and profitability.
Explanation:
As a reengineering process takes hold, certain key results will begin to emerge, including a
concentration on process as a means of improving product, service and profitability. In addition,
new business priorities and approaches to the use of information as well as powerful and more
accessible information technologies will emerge. Often, the roles of client and customers will be
redefined providing them with more direct and active participation in the enterprise's business
process.
..........................................................................................................
94. Responsibility and reporting lines cannot always be established when auditing
automated systems since:
A. diversified control makes ownership irrelevant.
B. staff traditionally changes jobs with greater frequency.
C. ownership is difficult to establish where resources are shared.
D. duties change frequently in the rapid development of technology.
The correct answer is:
C. ownership is difficult to establish where resources are shared.
Explanation:
Because of the diversified nature of both data and application systems, the actual owner of data
and applications may be hard to establish.
..........................................................................................................
95. A retail company recently installed data warehousing client software at geographically
diverse sites. Due to time zone differences between the sites, updates to the warehouse are
not synchronized. Which of the following will be affected the MOST?
A. Data availability
B. Data completeness
C. Data redundancy
D. Data inaccuracy
The correct answer is:
B. Data completeness
Explanation:
Unsynchronized updates will generally cause data completeness to be affected, for example,
sales data from one site do not necessarily match costs incurred in another site.
..........................................................................................................
96. The knowledge base of an expert system that uses questionnaires to lead the user
through a series of choices before a conclusion is reached is known as:
A. rules.
B. decision trees.
C. semantic nets.
D. dataflow diagrams.
The correct answer is:
B. decision trees.
Explanation:
Decision trees use questionnaires to lead a user through a series of choices until a conclusion is
reached. Rules refer to the expression of declarative knowledge through the use of if-then
relationships. Semantic nets consist of a graph in which nodes represent physical or conceptual
objects and the arcs describe the relationship between the nodes. Semantic nets resemble a
dataflow diagram and make use of an inheritance mechanism to prevent duplication of data.
..........................................................................................................
97. Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production programs.
B. Application programmers are implementing changes to test programs.
C. Operations support staff are implementing changes to batch schedules.
D. Database administrators are implementing changes to data structures.
The correct answer is:
A. Application programmers are implementing changes to production programs.
Explanation:
Production programs are used for processing an enterprise's data. It is imperative that controls on
changes to production programs are stringent. Lack of control in this area could result in
application programs being modified to manipulate the data. Application programmers are
required to implement changes to test programs. These are used only in development and do not
directly impact the live processing of data. The implementation of changes to batch schedules by
operations support staff will affect the scheduling of the batches only; it does not impact the live
data. Database administrators are required to implement changes to data structures. This is
required for reorganization of the database to allow for additions, modifications or deletions of
fields or tables in the database.
..........................................................................................................
98. When planning to add personnel to tasks imposing time constraints on the duration of a
project, which of the following should be revalidated FIRST?
A. The project budget
B. The critical path for the project
C. The length of the remaining tasks
D. The personnel assigned to other tasks
The correct answer is:
B. The critical path for the project
Explanation:
Since adding resources may change the route of the critical path, the critical path must be
reevaluated to ensure that additional resources will in fact shorten the project duration. Given
that there may be slack time available on some of the other tasks not on the critical path, factors
such as the project budget, the length of other tasks and the personnel assigned to them may or
may not be affected.
..........................................................................................................
99. Which of the following is the PRIMARY purpose for conducting parallel testing?
A. To determine if the system is cost-effective
B. To enable comprehensive unit and system testing
C. To highlight errors in the program interfaces with files
D. To ensure the new system meets user requirements
The correct answer is:
D. To ensure the new system meets user requirements
Explanation:
The purpose of parallel testing is to ensure that the implementation of a new system will meet
user requirements. Parallel testing may show that the old system is, in fact, better than the new
system, but this is not the primary reason. Unit and system testing are completed before parallel
testing. Program interfaces with files are tested for errors during system testing.
..........................................................................................................
100. Prices are charged on the basis of a standard master file rate that changes as the
volume increases. Any exceptions must be manually approved. What is the MOST effective
automated control to help ensure that all price exceptions are approved?
A. All amounts are displayed back to the data entry clerk, who must verify them visually.
B. Prices outside the normal range should be entered twice to verify data entry accuracy.
C. The system beeps when price exceptions are entered and prints such occurrences on a
report.
D. A second-level password must be entered before a price exception can be processed.
The correct answer is:
D. A second-level password must be entered before a price exception can be processed.
Explanation:
Automated control should ensure that the system processes the price exceptions only upon
approval of another user who is authorized to approve such exceptions. A second-level password
would ensure that price exceptions will be approved by a user who has been authorized by
management. Visual verification of all amounts by a data entry clerk is not a control, but a basic
requirement for any data entry. The user's ability to visually verify what has been entered is a
basic manual control. Entering of price exceptions twice is an input control. This does not ensure
that exceptions will be verified automatically by another user. The system beeping on entry of a
price exception is only a warning to the data entry clerk; it does not prevent proceeding further.
Printing of these exceptions on a report is a detective (manual) control.
..........................................................................................................
101. The reason for establishing a stop or freezing point on the design of a new system is to:
A. prevent further changes to a project in process.
B. indicate the point at which the design is to be completed.
C. require that changes after that point be evaluated for cost-effectiveness.
D. provide the project management team with more control over the project design.
The correct answer is:
C. require that changes after that point be evaluated for cost-effectiveness.
Explanation:
Projects often have a tendency to expand, especially during the requirements definition phase.
This expansion often grows to a point where the originally anticipated cost-benefits are
diminished because the cost of the project has increased. When this occurs, it is recommended
that the project be stopped or frozen to allow a re-review of all of the cost-benefits and the
payback period.
..........................................................................................................
102. After discovering a security vulnerability in a third-party application that interfaces
with several external systems, a patch is applied to a significant number of modules. Which
of the following tests should an IS auditor recommend?
A. Stress
B. Black box
C. Interface
D. System
The correct answer is:
D. System
Explanation:
Given the extensiveness of the patch and its interfaces to external systems, system testing is most
appropriate. Interface testing is not enough, and stress or black box testing are inadequate in
these circumstances.
..........................................................................................................
103. A control that detects transmission errors by appending calculated bits onto the end of
each segment of data is known as a:
A. reasonableness check.
B. parity check.
C. redundancy check.
D. check digits.
The correct answer is:
C. redundancy check.
Explanation:
A redundancy check detects transmission errors by appending calculated bits onto the end of
each segment of data. A reasonableness check compares data to predefined reasonability limits
or occurrence rates established for the data. A parity check is a hardware control that detects data
errors when data are read from one computer to another, from memory or during transmission.
Check digits detect transposition and transcription errors.
..........................................................................................................
104. The quality assurance group is typically responsible for:
A. ensuring that the output received from system processing is complete.
B. monitoring the execution of computer processing tasks.
C. ensuring that programs and program changes and documentation adhere to established
standards.
D. designing procedures to protect data against accidental disclosure, modification or
destruction.
The correct answer is:
C. ensuring that programs and program changes and documentation adhere to established
standards.
Explanation:
The quality assurance group is typically responsible for ensuring that programs, program
changes and documentation adhere to established standards. Choice A is the responsibility of the
data control group, choice B is the responsibility of computer operations, and choice D is the
responsibility of data security.
..........................................................................................................
105. When implementing an application software package, which of the following presents
the GREATEST risk?
A. Uncontrolled multiple software versions
B. Source programs that are not synchronized with object code
C. Incorrectly set parameters
D. Programming errors
The correct answer is:
C. Incorrectly set parameters
Explanation:
Parameters that are not set correctly would be the greatest concern when implementing an
application software package. The other choices, though important, are a concern of the provider,
not the organization that is implementing the software itself.
..........................................................................................................
106. Which of the following is a control weakness that can jeopardize a system replacement
project?
A. The project initiation document has not been updated to reflect changes in the system
scope.
B. A gap analysis comparing the chosen solution to the original specification has revealed a
number of significant changes in functionality.
C. The project has been subject to a number of requirement specification changes.
D. The organization has decided that a project steering committee is not required.
The correct answer is:
D. The organization has decided that a project steering committee is not required.
Explanation:
Even in a small project, the lack of a project steering committee represents the absence of a
fundamental control. The project initiation document captures the initial scope and structure of
the project, and it is not practical to keep it updated, as changes to the project can be captured
through change control procedures and committee decisions. A gap analysis is a process that
enables differences to be identified and addressed. Changes of scope and requirements are
significant risks that can have a major effect on project success; however, of themselves, they are
not control weaknesses. They should be controlled by change control procedures.
..........................................................................................................
107. Which of the following is an implementation risk within the process of decision
support systems?
A. Management control
B. Semistructured dimensions
C. Inability to specify purpose and usage patterns
D. Changes in decision processes
The correct answer is:
C. Inability to specify purpose and usage patterns
Explanation:
The inability to specify purpose and usage patterns is a risk that developers need to anticipate
while implementing a decision support system (DSS). Choices A, B and D are not risks, but
characteristics of a DSS.
..........................................................................................................
108. During the audit of an acquired software package, the IS auditor learned that the
software purchase was based on information obtained through the Internet, rather than
from responses to a request for proposal (RFP). The IS auditor should FIRST:
A. test the software for compatibility with existing hardware.
B. perform a gap analysis.
C. review the licensing policy.
D. ensure that the procedure had been approved.
The correct answer is:
D. ensure that the procedure had been approved.
Explanation:
In the case of a deviation from the predefined procedures, the IS auditor should first ensure that
the procedure followed for acquiring the software is consistent with the business objectives and
has been approved by the appropriate authorities. The other choices are not the first actions the
IS auditor should take. They are steps that may or may not be taken after determining that the
procedure used to acquire the software had been approved.
..........................................................................................................
109. An IS auditor that participates in the testing stage of a software development project
establishes that the individual modules perform correctly. The IS auditor should:
A. conclude that the individual modules running as a group will be correct.
B. document the test as positive proof that the system can produce the desired results.
C. inform management and recommend an integrated test.
D. provide additional test data.
The correct answer is:
C. inform management and recommend an integrated test.
Explanation:
Modules that have been tested individually can have interface problems, causing adverse affects
on other modules. Therefore, the most appropriate action for the IS auditor is to recommend that
management carry out an integrated test, which will demonstrate whether the modules working
together can produce the desired output. Running additional test data against individual modules
will not prove the ability of the modules to work together.
..........................................................................................................
110. Which of the following represents a typical prototype of an interactive application?
A. Screens and process programs
B. Screens, interactive edits and sample reports
C. Interactive edits, process programs and sample reports
D. Screens, interactive edits, process programs and sample reports
The correct answer is:
B. Screens, interactive edits and sample reports
Explanation:
Process programs are not produced by a prototyping tool. This often leads to confusion for the
end user who expects quick implementation of programs that accomplish the results that these
tools produce.
..........................................................................................................
111. Functional acknowledgements are used:
A. as an audit trail for EDI transactions.
B. to functionally describe the IS department.
C. to document user roles and responsibilities.
D. as a functional description of application software.
The correct answer is:
A. as an audit trail for EDI transactions.
Explanation:
Functional acknowledgements are standard EDI transactions that tell trading partners that their
electronic documents were received. Different types of functional acknowledgments provide
various levels of detail and, therefore, can act as an audit trail for EDI transactions. The other
choices are not relevant to the description of functional acknowledgements.
..........................................................................................................
112. Documentation of a business case used in an IT development project should be
retained until:
A. the end of the system's life cycle.
B. the project is approved.
C. user acceptance of the system.
D. the system is in production.
The correct answer is:
A. the end of the system's life cycle.
Explanation:
A business case can and should be used throughout the life cycle of the product. It serves as an
anchor for new (management) personnel, helps to maintain focus and provides valuable
information on estimates vs. actuals. Questions like "why do we do that," "what was the original
intent" and "how did we perform against the plan" can be answered and lessons for developing
future business cases can be learned. During the development phase of a project one should
always validate the business case, as it is a good management instrument. After finishing a
project and entering production, the business case and all the research done are valuable sources
of information that should be kept for further reference.
..........................................................................................................
113. An advantage in using a bottom-up vs. a top-down approach to software testing is
that:
A. interface errors are detected earlier.
B. confidence in the system is achieved earlier.
C. errors in critical modules are detected earlier.
D. major functions and processing are tested earlier.
The correct answer is:
C. errors in critical modules are detected earlier.
Explanation:
The bottom-up approach to software testing begins with the testing of atomic units, such as
programs and modules, and works upward until a complete system testing has taken place. The
advantages of using a bottom-up approach to software testing are the fact that there is no need
for stubs or drivers and errors in critical modules are found earlier. The other choices in this
question all refer to advantages of a top-down approach, which follows the opposite path, either
in depth-first or breadth-first search order.
..........................................................................................................
114. An objective of a postimplementation review of a new or extensively modified business
application system is to:
A. determine whether test data covered all scenarios.
B. conduct a certification and accreditation process.
C. assess whether expected project benefits were received.
D. design audit trail reports.
The correct answer is:
C. assess whether expected project benefits were received.
Explanation:
Assessing whether expected project benefits were achieved would be one of the objectives of a
post-implementation review. Determining whether test data covered all scenarios and conducting
a certification and accreditation process are objectives of the implementation phase of
application systems development. Designing audit trails is part of the design phase of the
development.
..........................................................................................................
115. Which of the following would be the MOST likely to ensure that business
requirements are met during software development?
A. Adequate training
B. Programmers that clearly understand the business processes
C. Documentation of business rules
D. Early engagement of key users
The correct answer is:
D. Early engagement of key users
Explanation:
Key users, since they are familiar with the daily needs, are the individuals that can provide the
requirements to ensure the application developed will meet the business needs. Training would
aid in learning how to use the system but would not provide the business requirements. Choices
B and C are important; however, they will not, by themselves, ensure that requirements are met.
..........................................................................................................
116. Which of the following should be included in a feasibility study for a project to
implement an EDI process?
A. The encryption algorithm format
B. The detailed internal control procedures
C. The necessary communication protocols
D. The proposed trusted third-party agreement
The correct answer is:
C. The necessary communication protocols
Explanation:
Encryption algorithms, third-party agreements and internal control procedures are too detailed
for this phase. They would only be outlined and any cost or performance implications shown.
The communications protocols must be included, as there may be significant cost implications, if
new hardware and software are involved, and risk implications, if the technology is new to the
organization.
..........................................................................................................
117. The responsibility for designing, implementing and maintaining a system of internal
control lies with:
A. the IS auditor.
B. management.
C. the external auditor.
D. the programming staff.
The correct answer is:
B. management.
Explanation:
Designing, implementing and maintaining a system of internal controls, including the prevention
and detection of fraud is the responsibility of management. The IS auditor assesses the risks and
performs tests to detect irregularities created by weaknesses in the structure of internal controls.
..........................................................................................................
118. A company uses a bank to process its weekly payroll. Time sheets and payroll
adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to
the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure
payroll data accuracy:
A. payroll reports should be compared to input forms.
B. gross payroll should be recalculated manually.
C. checks (cheques) should be compared to input forms.
D. checks (cheques) should be reconciled with output reports.
The correct answer is:
A. payroll reports should be compared to input forms.
Explanation:
The best way to confirm data accuracy, when input is provided by the company and output is
generated by the bank, is to verify the data input (input forms) with the results of the payroll
reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying
data accuracy. Recalculating gross payroll manually would only verify whether the processing is
correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not
feasible as checks (cheques) have the processed information and input forms have the input data.
Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been
issued as per output reports.
..........................................................................................................
119. Business units are concerned about the performance of a newly implemented system.
Which of the following should the IS auditor recommend?
A. Develop a baseline and monitor system usage.
B. Define alternate processing procedures.
C. Prepare the maintenance manual.
D. Implement the changes users have suggested.
The correct answer is:
A. Develop a baseline and monitor system usage.
Explanation:
The IS auditor should recommend the development of a performance baseline and monitor the
system's performance, against the baseline, to develop empirical data upon which decisions for
modifying the system can be made. Alternate processing procedures and a maintenance manual
will not alter a system's performance. Implementing changes without knowledge of the cause(s)
for the perceived poor performance may not result in a more efficient system.
..........................................................................................................
120. At the end of the testing phase of software development, an IS auditor observes that an
intermittent software error has not been corrected. No action has been taken to resolve the
error. The IS auditor should:
A. report the error as a finding and leave further exploration to the auditee's discretion.
B. attempt to resolve the error.
C. recommend that problem resolution be escalated.
D. ignore the error, as it is not possible to get objective evidence for the software error.
The correct answer is:
C. recommend that problem resolution be escalated.
Explanation:
When an auditor observes such conditions, it is best to fully apprise the auditee and suggest that
further problem resolutions be attempted. Recording it as a minor error and leaving it to the
auditee's discretion would be inappropriate, and neglecting the error would indicate that the
auditor has not taken steps to further probe the issue to its logical end.
..........................................................................................................
121. An organization is implementing a new system to replace a legacy system. Which of
the following conversion practices creates the GREATEST risk?
A. Pilot
B. Parallel
C. Direct cut-over
D. Phased
The correct answer is:
C. Direct cut-over
Explanation:
Direct cut-over implies switching to the new system immediately, usually without the ability to
revert to the old system in the event of problems. All other alternatives are done gradually and
thus provide greater recoverability and are therefore less risky.
..........................................................................................................
122. Which of the following is the FIRST step in a business process reengineering (BPR)
project?
A. Defining the areas to be reviewed
B. Developing a project plan
C. Understanding the process under review
D. Reengineering and streamlining the process under review
The correct answer is:
A. Defining the areas to be reviewed
Explanation:
On the basis of the evaluation of the entire business process, correctly defining the areas to be
reviewed is the first step in a BPR project. On the basis of the definition of the areas to be
reviewed, the project plan is developed. Understanding the process under review is important,
but the subject of the review must be defined first. Thereafter, the process can be reengineered,
streamlined, implemented and monitored for continuous improvement.
..........................................................................................................
123. An IS auditor finds out-of-range data in some tables of a database. Which of the
following controls should the IS auditor recommend to avoid this situation?
A. Log all table update transactions.
B. Implement before-and-after image reporting.
C. Use tracing and tagging.
D. Implement integrity constraints in the database.
The correct answer is:
D. Implement integrity constraints in the database.
Explanation:
Implementing integrity constraints in the database is a preventive control, because data is
checked against predefined tables or rules preventing any undefined data from being entered.
Logging all table update transactions and implementing before-and-after image reporting are
detective controls that would not avoid the situation. Tracing and tagging are used to test
application systems and controls and could not prevent out-of-range data.
..........................................................................................................
124. An organization donating used computers should ensure that:
A. the computers were not used to store confidential data.
B. a nondisclosure agreement has been signed.
C. the data storage media are sanitized.
D. all data has been deleted.
The correct answer is:
C. the data storage media are sanitized.
Explanation:
To ensure confidentiality of the organization’s data when disposing of used computers, the
information stored on the computers should not be available once the computers are out of
control of the organization. Destroying or sanitizing the storage media will provide this
assurance. The next best method is to ensure that the computers were not used for storing
confidential information. A signed nondisclosure agreement will not prevent sensitive data on
the donated computers from being recovered. Deleting data does not remove it from storage.
..........................................................................................................
125. Which of the following is an advantage of prototyping?
A. The finished system normally has strong internal controls.
B. Prototype systems can provide significant time and cost savings.
C. Change control is often less complicated with prototype systems.
D. It ensures that functions or extras are not added to the intended system.
The correct answer is:
B. Prototype systems can provide significant time and cost savings.
Explanation:
Prototype systems can provide significant time and cost savings; however, they also have several
disadvantages. They often have poor internal controls, change control becomes much more
complicated, and it often leads to functions or extras being added to the system that were not
originally intended.
..........................................................................................................
126. Which is the first software capability maturity model (CMM) level to include a
standard software development process?
A. Initial (level 1)
B. Repeatable (level 2)
C. Defined (level 3)
D. Optimizing (level 5)
The correct answer is:
C. Defined (level 3)
Explanation:
Based on lessons learned from level 1 (initial) and level 2 (repeatable), level 3 (defined) initiates
documentation to provide standardized software processes across the organization. Level 1
(initial) is characterized as ad hoc, and reliance is placed on key personnel and processes are not
documented. After level 1, level 2 (repeatable) creates a learning environment where disciplined
processes can be repeated successfully on other projects of similar size and scope. The ability to
quantitatively control software projects arises on attaining the final level (5) of CMM. At level 5,
an organization is in a position to use continuous process improvement strategies in applying
innovative solutions and state-of-the-art technologies to its software projects.
..........................................................................................................
127. The most common reason for the failure of information systems to meet the needs of
users is that:
A. user needs are constantly changing.
B. the growth of user requirements was forecast inaccurately.
C. the hardware system limits the number of concurrent users.
D. user participation in defining the system's requirements was inadequate.
The correct answer is:
D. user participation in defining the system's requirements was inadequate.
Explanation:
Lack of adequate user involvement, especially in the system's requirements phase, will usually
result in a system that does not fully or adequately address the needs of the user. Only users can
define what their needs are and, therefore, what the system should accomplish.
..........................................................................................................
128. In planning a software development project, which of the following is the MOST
difficult to determine?
A. Project slack times
B. The project's critical path
C. Time and resource requirements for individual tasks
D. Relationships that preclude the start of an activity before others are complete
The correct answer is:
C. Time and resource requirements for individual tasks
Explanation:
The most difficult problem is effectively estimating a project's slack time and/or resource
requirements for individual tasks or development activities. This is commonly done through
direct software measures [size-oriented, e.g., SLOC (source lines of code) or KLOC (thousand
lines of code)] or indirect software measures (function points—values for a number of user
inputs, outputs, inquiries, files and interfaces). The other choices are employed project
management methods and techniques that are dependent on the effectiveness of methods used in
deriving accurate and reliable software development productivity and performance measures.
..........................................................................................................
129. Which of the following is an object-oriented technology characteristic that permits an
enhanced degree of security over data?
A. Inheritance
B. Dynamic warehousing
C. Encapsulation
D. Polymorphism
The correct answer is:
C. Encapsulation
Explanation:
Encapsulation is a property of objects, and it prevents accessing either properties or methods that
have not been previously defined as public. This means that any implementation of the behavior
of an object is not accessible. An object defines a communication interface with the exterior and
only that which belongs to that interface can be accessed.
..........................................................................................................
130. If an application program is modified and proper system maintenance procedures are
in place, which of the following should be tested? The:
A. integrity of the database.
B. access controls for the applications programmer.
C. complete program, including any interface systems.
D. segment of the program containing the revised code.
The correct answer is:
C. complete program, including any interface systems.
Explanation:
The complete program with all interfaces needs to be tested to determine the full impact of a
change to program code. Usually, the more complex the program, the more testing is required.
..........................................................................................................
131. An IS auditor is conducting a review of an application system after users have
completed acceptance testing. What should be the IS auditor’s major concern?
A. Determining whether test objectives were documented
B. Assessing whether users documented expected test results
C. Reviewing whether test problem logs were completed
D. Determining if there are unresolved issues
The correct answer is:
D. Determining if there are unresolved issues
Explanation:
In assessing the overall success or failure of the acceptance test, the IS auditor should determine
whether the test plans were documented and whether actual results were compared with expected
results as well as review the test problem log to confirm resolution of identified test issues. The
IS auditor should then determine the impact of the unresolved issues on system functionality and
usability.
..........................................................................................................
132. When two or more systems are integrated, input/output controls must be reviewed by
the IS auditor in the:
A. systems receiving the output of other systems.
B. systems sending output to other systems.
C. systems sending and receiving data.
D. interfaces between the two systems.
The correct answer is:
C. systems sending and receiving data.
Explanation:
Both of the systems must be reviewed for input/output controls, since the output for one system
is the input for the other.
..........................................................................................................
133. An IS auditor performing a review of the IS department discovers that formal project
approval procedures do not exist. In the absence of these procedures, the IS manager has
been arbitrarily approving projects that can be completed in a short duration and
referring other, more complicated projects to higher levels of management for approval.
The IS auditor should recommend as a FIRST course of action that:
A. users participate in the review and approval process.
B. formal approval procedures be adopted and documented.
C. projects be referred to appropriate levels of management for approval.
D. the IS manager's job description be changed to include approval authority.
The correct answer is:
B. formal approval procedures be adopted and documented.
Explanation:
It is imperative that formal, written approval procedures are established to set accountability.
This is true of the IS manager and higher levels of management. Choices A, C and D would be
subsequent recommendations once authority has been established.
..........................................................................................................
134. An IS auditor performing an application maintenance audit would review the log of
program changes for the:
A. authorization of program changes.
B. creation date of a current object module.
C. number of program changes actually made.
D. creation date of a current source program.
The correct answer is:
A. authorization of program changes.
Explanation:
The manual log will most likely contain information on authorized changes to a program.
Deliberate, unauthorized changes will not be documented by the responsible party. An automated
log, found usually in library management products, and not a change log would most likely
contain date information for the source and executable modules.
..........................................................................................................
135. Which of the following is a management technique that enables organizations to
develop strategically important systems faster, while reducing development costs and
maintaining quality?
A. Function point analysis
B. Critical path methodology
C. Rapid application development
D. Program evaluation review technique
The correct answer is:
C. Rapid application development
Explanation:
Rapid application development is a management technique that enables organizations to develop
strategically important systems faster, while reducing development costs and maintaining
quality. The program evaluation review technique (PERT) and critical path methodology (CPM)
are both planning and control techniques, while function point analysis is used for estimating the
complexity of developing business applications.
..........................................................................................................
136. When reviewing a system development project at the project initiation stage, an IS
auditor finds that the project team is following the organization's quality manual. To meet
critical deadlines the project team proposes to fast track the validation and verification
processes, commencing some elements before the previous deliverable is complete. Under
these circumstances, the IS auditor would MOST likely:
A. report this as a critical finding to senior management.
B. accept that different quality processes can be adopted for each project.
C. report to IS management the team's failure to follow quality procedures.
D. report the risks associated with fast tracking to the project steering committee.
The correct answer is:
D. report the risks associated with fast tracking to the project steering committee.
Explanation:
It is important that quality processes are appropriate to individual projects. Attempts to apply
inappropriate processes will often find their abandonment under pressure. A fast-tracking process
is an acceptable option under certain circumstances; however, it is important that the project
steering committee is informed of the risks associated with this (i.e., possibility of rework if
changes are required).
..........................................................................................................
137. A company has recently upgraded its purchase system to incorporate EDI
transmissions. Which of the following controls should be implemented in the EDI interface
to provide for efficient data mapping?
A. Key verification
B. One-for-one checking
C. Manual recalculations
D. Functional acknowledgements
The correct answer is:
D. Functional acknowledgements
Explanation:
Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main
controls used in data mapping. All the other choices are manual input controls, whereas data
mapping deals with automatic integration of data in the receiving company.
..........................................................................................................
138. Which of the following development methods most heavily relies on the usage of a
prototype that can be updated continually to meet changing user or business
requirements?
A. Data-oriented system development (DOD)
B. Object-oriented system development (OOD)
C. Business process reengineering (BPR)
D. Rapid application development (RAD)
The correct answer is:
D. Rapid application development (RAD)
Explanation:
RAD uses prototyping as its core development tool no matter which underlying technology is
used. In contrast, OOSD and DOSD use continuously developing models but have a focus on
content solution space (e.g., How to best address the problem to make the code reusable and
maintainable?) and can be applied using a traditional waterfall approach. It should also be noted
that business process reengineering (BPR) attempts to convert an existing business process rather
than make dynamic changes.
..........................................................................................................
139. The PRIMARY reason for separating the test and development environments is to:
A. restrict access to systems under test.
B. segregate user and development staff.
C. control the stability of the test environment.
D. secure access to systems under development.
The correct answer is:
C. control the stability of the test environment.
Explanation:
The test environment must be controlled and stable to ensure that development projects are tested
in a realistic environment that, as far as possible, mirrors the live environment. Restricting access
to test and development systems can be achieved easily by normal access control methods, and
the mere separation of the environments will not provide adequate segregation of duties. The IS
auditor must be aware of the benefits of separating these environments wherever possible.
..........................................................................................................
140. Functionality is a characteristic associated with evaluating the quality of software
products throughout their life cycle, and is BEST described as the set of attributes that
bear on the:
A. existence of a set of functions and their specified properties.
B. ability of the software to be transferred from one environment to another.
C. capability of software to maintain its level of performance under stated conditions.
D. relationship between the performance of the software and the amount of resources used.
The correct answer is:
A. existence of a set of functions and their specified properties.
Explanation:
Functionality is the set of attributes that bears on the existence of a set of functions and their
specified properties. The functions are those that satisfy stated or implied needs. Choice B refers
to portability, choice C refers to reliability and choice D refers to efficiency.
..........................................................................................................
141. Which of the following data validation edits could be used by a bank, to ensure the
correctness of bank account numbers assigned to customers, thereby helping to avoid
transposition and transcription errors?
A. Sequence check
B. Validity check
C. Check digit
D. Existence check
The correct answer is:
C. Check digit
Explanation:
A check digit is a mathematically calculated value that is added to data to ensure that the original
data have not been altered. This helps in avoiding transposition and transcription errors. Thus, a
check digit can be added to an account number to check for accuracy. Sequence checks ensure
that a number follows sequentially and any out of sequence or duplicate control numbers are
rejected or noted on an exception report. Validity checks and existence checks match data
against predetermined criteria to ensure accuracy.
..........................................................................................................
142. Which of the following will BEST ensure the successful offshore development of
business applications?
A. Stringent contract management practices
B. Detailed and correctly applied specifications
C. Awareness of cultural and political differences
D. Postimplementation reviews
The correct answer is:
B. Detailed and correctly applied specifications
Explanation:
When dealing with offshore operations, it is essential that detailed specifications be created.
Language differences and a lack of interaction between developers and physically remote end
users could create gaps in communication in which assumptions and modifications may not be
adequately communicated. Contract management practices, cultural and political differences, and
postimplementation reviews, although important, are not as pivotal to the success of the project.
..........................................................................................................
143. A data validation edit that matches input data to an occurrence rate is a:
A. limit check.
B. reasonableness check.
C. range check.
D. validity check.
The correct answer is:
B. reasonableness check.
Explanation:
A reasonableness check is an edit check, wherein input data are matched to predetermined
reasonable limits or occurrence rates. Limit checks verify that data do not exceed a
predetermined amount. Range checks verify that data are within a predetermined range of values.
Validity checks test for data validity in accordance with predetermined criteria.
..........................................................................................................
144. When a new system is to be implemented within a short time frame, it is MOST
important to:
A. finish writing user manuals.
B. perform user acceptance testing.
C. add last-minute enhancements to functionalities.
D. ensure that the code has been documented and reviewed.
The correct answer is:
B. perform user acceptance testing.
Explanation:
It would be most important to complete the user acceptance testing to ensure that the system to
be implemented is working correctly. The completion of the user manuals is similar to the
performance of code reviews. If time is tight, the last thing one would want to do is add another
enhancement, as it would be necessary to freeze the code and complete the testing, then make
any other changes as future enhancements. It would be appropriate to have the code documented
and reviewed, but unless the acceptance testing is completed, there is no guarantee that the
system will work correctly and meet user requirements.
..........................................................................................................
145. An IS auditor who has discovered unauthorized transactions during a review of EDI
transactions is likely to recommend improving the:
A. EDI trading partner agreements.
B. physical controls for terminals.
C. authentication techniques for sending and receiving messages.
D. program change control procedures.
The correct answer is:
C. authentication techniques for sending and receiving messages.
Explanation:
Authentication techniques for sending and receiving messages play a key role in minimizing
exposure to unauthorized transactions. The EDI trading partner agreements would minimize
exposure to legal issues.
..........................................................................................................
146. Which of the following should an IS auditor review to gain an understanding of the
effectiveness of controls over the management of multiple projects?
A. Project database
B. Policy documents
C. Project portfolio database
D. Program organization
The correct answer is:
C. Project portfolio database
Explanation:
A project portfolio database is the basis for project portfolio management. It includes project
data, such as owner, schedules, objectives, project type, status and cost. Project portfolio
management requires specific project portfolio reports. A project database may contain the above
for one specific project and updates to various parameters pertaining to the current status of that
single project. Policy documents on project management set direction for the design,
development, implementation and monitoring of the project. Program organization is the team
required (steering committee, quality assurance, systems personnel, analyst, programmer,
hardware support, etc.) to meet the delivery objective of the project.
..........................................................................................................
147. Which of the following types of data validation editing checks is used to determine if a
field contains data, and not zeros or blanks?
A. Check digit
B. Existence check
C. Completeness check
D. Reasonableness check
The correct answer is:
C. Completeness check
Explanation:
A completeness check is used to determine if a field contains data and not zeros or blanks. A
check digit is a digit calculated mathematically to ensure original data were not altered. An
existence check also checks entered data for agreement to predetermined criteria. A
reasonableness check matches input to predetermined reasonable limits or occurrence rates.
..........................................................................................................
148. During a postimplementation review of an enterprise resource management system, an
IS auditor would MOST likely:
A. review access control configuration.
B. evaluate interface testing.
C. review detailed design documentation.
D. evaluate system testing.
The correct answer is:
A. review access control configuration.
Explanation:
Reviewing access control configuration would be the first task performed to determine whether
security has been appropriately mapped in the system. Since a postimplementation review is
done after user acceptance testing and actual implementation, one would not engage in interface
testing or detailed design documentation. Evaluating interface testing would be part of the
implementation process. The issue of reviewing detailed design documentation is not generally
relevant to an enterprise resource management system, since these are usually vendor packages
with user manuals. System testing should be performed before final user sign-off
..........................................................................................................
149. In an online transaction processing system, data integrity is maintained by ensuring
that a transaction is either completed in its entirety or not at all. This principle of data
integrity is known as:
A. isolation.
B. consistency.
C. atomicity.
D. durability.
The correct answer is:
C. atomicity.
Explanation:
The principle of atomicity requires that a transaction be completed in its entirety or not at all. If
an error or interruption occurs, all changes made up to that point are backed out. Consistency
ensures that all integrity conditions in the database be maintained with each transaction. Isolation
ensures that each transaction is isolated from other transactions, and hence, each transaction only
accesses data that are part of a consistent database state. Durability ensures that, when a
transaction has been reported back to a user as complete, the resultant changes to the database
will survive subsequent hardware or software failures.
..........................................................................................................
150. Which of the following is the most important element in the design of a data
warehouse?
A. Quality of the metadata
B. Speed of the transactions
C. Volatility of the data
D. Vulnerability of the system
The correct answer is:
A. Quality of the metadata
Explanation:
Quality of the metadata is the most important element in the design of a data warehouse. A data
warehouse is a copy of transaction data specifically structured for query and analysis. Metadata
aim to provide a table of contents to the information stored in the data warehouse. Companies
that have built warehouses believe that metadata are the most important component of the
warehouse.
..........................................................................................................
151. Which of the following activities should an IS auditor perform to evaluate the
reliability of a software?
A. Review the number of failed login attempts.
B. Count the number of program errors in a given period of execution time.
C. Measure the response time of different requests.
D. Interview users to assess the extent to which their requirements are met.
The correct answer is:
B. Count the number of program errors in a given period of execution time.
Explanation:
The number of program errors is a measure of the reliability of a system. The number of failed
login attempts is a security issue but does not relate to reliability. Response time is an indicator
of efficiency rather than reliability. User perception is an indicator of usability not reliability.
..........................................................................................................
152. Many IT projects experience problems because the development time and/or resource
requirements are underestimated. Which of the following techniques would provide the
GREATEST assistance in developing an estimate of project duration?
A. Function point analysis
B. PERT chart
C. Rapid application development
D. Object-oriented system development
The correct answer is:
B. PERT chart
Explanation:
A PERT chart will help determine project duration once all the activities and the work involved
in the activities are known. Function point analysis is a technique for determining the size of a
development task based on the number of function points. Function points are factors such as
inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of
individual activities, it will not assist in determining project duration since there are many
overlapping tasks. Rapid application development is a methodology that enables organizations to
develop strategically important systems faster while reducing development costs and maintaining
quality, and object-oriented system development is the process of solution specification and
modeling.
..........................................................................................................
153. Who of the following is ultimately responsible for providing requirement specifications
to the software development project team?
A. Team leader
B. Project sponsor
C. System analyst
D. Steering committee
The correct answer is:
B. Project sponsor
Explanation:
The project sponsor is the manager in charge of the business function, the owner of the data and
the owner of the system under development. Providing functional specifications through
functional users is the responsibility of the project sponsor. The other choices are incorrect. The
team leader or project manager working with the project sponsor is responsible for the overall
control of the project. The steering committee provides the overall direction and ensures
representation of all areas impacted by the new system. The steering committee is responsible for
monitoring the overall progress of the project, but is not responsible for the function being
automated and, therefore, cannot provide requirement specifications. The system analyst,
working from the specifications, designs the new application system.
..........................................................................................................
154. An enterprise has established a steering committee to oversee its e-business program.
The steering committee would MOST likely be involved in the:
A. documentation of requirements.
B. escalation of project issues.
C. design of interface controls.
D. specification of reports.
The correct answer is:
B. escalation of project issues.
Explanation:
The function of the steering committee is to ensure the success of the project. If there are factors
or issues that potentially could affect planned results, the steering committee should escalate
them. Activities such as documentation of requirements, design of interface controls and
specification of reports are the responsibility of the project team.
..........................................................................................................
155. A data warehouse is:
A. object-oriented.
B. subject-oriented.
C. departmental specific.
D. a volatile database
The correct answer is:
B. subject-oriented.
Explanation:
Data warehouses are subject-oriented. The data warehouse is meant to help make decisions when
the function(s) to be affected by the decision transgresses across departments within an
organization. They are nonvolatile. Object orientation and volatility are irrelevant to a data
warehouse system.
..........................................................................................................
156. Which of the following data validation edits is effective in detecting transposition and
transcription errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check
The correct answer is:
B. Check digit
Explanation:
A check digit is a numeric value that is calculated mathematically and is appended to data to
ensure that the original data have not been altered, e.g., an incorrect, but valid, value substituted
for the original. This control is effective in detecting transposition and transcription errors. A
range check is checking data that matches a predetermined range of values. A validity check is
programmed checking of the data validity in accordance with predetermined criteria. In a
duplicate check, new or fresh transactions are matched to those previously entered to ensure that
they are not already in the system.
..........................................................................................................
157. Before implementing controls, management should FIRST ensure that the controls:
A. satisfy a requirement in addressing a risk issue.
B. do not reduce productivity.
C. are based on a cost-benefit analysis.
D. are detective or corrective.
The correct answer is:
A. satisfy a requirement in addressing a risk issue.
Explanation:
When designing controls, it is necessary to consider all the above aspects. In an ideal situation,
controls that address all these aspects would be the best controls. Realistically, it may not be
possible to design them all and cost may be prohibitive; therefore, it is necessary to first consider
the preventive controls that attack the cause of a threat.
..........................................................................................................
158. Which of the following Capability Maturity Model levels ensures achievement of basic
project management controls?
A. Repeatable (level 2)
B. Defined (level 3)
C. Managed (level 4)
D. Optimizing (level 5)
The correct answer is:
A. Repeatable (level 2)
Explanation:
Level 2 has the characteristics of basic project management controls. Level 3 ensures a
documented process, level 4 ensures quantitative quality goals, and level 5 ensures continuous
process improvement.
..........................................................................................................
159. By evaluating application development projects against the capability maturity model
(CMM), an IS auditor should be able to verify that:
A. reliable products are guaranteed.
B. programmers' efficiency is improved.
C. security requirements are designed.
D. predictable software processes are followed.
The correct answer is:
D. predictable software processes are followed.
Explanation:
By evaluating the organization's development projects against the CMM, the IS auditor
determines whether the development organization follows a stable, predictable software process.
Although the likelihood of success should increase as the software processes mature toward the
optimizing level, mature processes do not guarantee a reliable product. CMM does not evaluate
technical processes such as programming nor does it evaluate security requirements or other
application controls.
..........................................................................................................
160. Which of the following systems or tools can recognize that a credit card transaction is
more likely to have resulted from a stolen credit card than from the holder of the credit
card?
A. Intrusion detection systems
B. Data mining techniques
C. Firewalls
D. Packet filtering routers
The correct answer is:
B. Data mining techniques
Explanation:
Data mining is a technique used to detect trends or patterns of transactions or data. If the
historical pattern of charges against a credit card account is changed, than it is a flag that the
transaction may have resulted from a fraudulent use of the card.
..........................................................................................................
161. What data should be used for regression testing?
A. Different data than used in the previous test
B. The most current production data
C. The data used in previous tests
D. Data produced by a test data generator
The correct answer is:
C. The data used in previous tests
Explanation:
Regression testing ensures that changes or corrections in a program have not introduced new
errors. Therefore, this would be achieved only if the data used for regression testing are the same
as the data used in previous tests.
..........................................................................................................
162. Failure in which of the following testing stages would have the GREATEST impact on
the implementation of new application software?
A. System testing
B. Acceptance testing
C. Integration testing
D. Unit testing
The correct answer is:
B. Acceptance testing
Explanation:
Acceptance testing is the final stage before the software is installed and is available for use. The
greatest impact would occur if the software fails at the acceptance testing level, as this could
result in delays and cost overruns. System testing is undertaken by the developer team to
determine if the software meets user requirements per specifications. Integration testing
examines the units/modules as one integrated system and unit testing examine the individual
units or components of the software. System, integration and unit testing are all performed by the
developers at various stages of development, and the impact of failure is comparatively less for
each, than failure at the acceptance testing stage.
..........................................................................................................
163. The waterfall life cycle model of software development is most appropriately used
when:
A. requirements are well understood and are expected to remain stable, as is the business
environment in which the system will operate.
B. requirements are well understood and the project is subject to time pressures.
C. the project intends to apply an object-oriented design and programming approach.
D. the project will involve the use of new technology.
The correct answer is:
A. requirements are well understood and are expected to remain stable, as is the business
environment in which the system will operate.
Explanation:
Historically, the waterfall model has been best suited to the stable conditions described in choice
A. When the degree of uncertainty of the system to be delivered and the conditions in which it
will be used rises, the waterfall model has not been successful. In these circumstances the
various forms of iterative development life cycle gives the advantage of breaking down the scope
of the overall system to be delivered, making the requirements gathering and design activities
more manageable. The ability to deliver working software earlier also acts to alleviate
uncertainty and may allow an earlier realization of benefits. The choice of a design and
programming approach is not itself a determining factor of the type of software development life
cycle that is appropriate. The use of new technology in a project introduces a significant element
of risk. An iterative form of development, particularly one of the family of agile methods that
focuses on early development of actual working software, is likely to be the better option to
manage this uncertainty.
..........................................................................................................
164. The purpose of debugging programs is to:
A. generate random data that can be used to test programs before implementing them.
B protect valid changes from being overwritten by other changes during programming.
C. define the program development and maintenance costs to be include in the feasibility
study.
D. ensure that abnormal terminations and coding flaws are detected and corrected.
The correct answer is:
D. ensure that abnormal terminations and coding flaws are detected and corrected.
Explanation:
The purpose of debugging programs is to ensure that program abends and coding flaws are
detected and corrected before the final program goes into production. There are special tools,
such as logic path monitors, memory dumps and output analyzers, to aid the debugging efforts.
..........................................................................................................
165. Sales orders are automatically numbered sequentially at each of a retailer's multiple
outlets. Small orders are processed directly at the outlets, with large orders sent to a
central production facility. The MOST appropriate control to ensure that all orders
transmitted to production are received and processed would be to:
A. send and reconcile transaction counts and totals.
B. have data transmitted back to the local site for comparison.
C. compare data communications protocols with parity checking.
D. track and account for the numerical sequence of sales orders at the production facility.
The correct answer is:
A. send and reconcile transaction counts and totals.
Explanation:
Sending and reconciling transaction totals not only ensure that the orders were received, but also
processed by the central production location. Transmission back to the local site confirms that
the central location received it, but not that they have actually processed it. Tracking and
accounting for the numerical sequence only confirms what orders are on hand, and not whether
they actually have been completed. The use of parity checking would only confirm that the order
was not changed during transmission.
..........................................................................................................
166. Which of the following is a control to compensate for a programmer having access to
accounts payable production data?
A. Processing controls such as range checks and logic edits
B. Reviewing accounts payable output reports by data entry
C. Reviewing system-produced reports for checks (cheques) over a stated amount
D. Having the accounts payable supervisor match all checks (cheques) to approved invoices
The correct answer is:
D. Having the accounts payable supervisor match all checks (cheques) to approved invoices
Explanation:
To ensure that the programmer could not have a check (cheque) generated, it would be necessary
for someone to confirm all of the checks (cheques) generated by the system. Range and logic
checks could easily be bypassed by a programmer, since they are privy to the controls that have
been built into the system. The review of the accounts payable reports by data entry would only
identify changes that might have been made to the data input. It would not identify information
that might have been changed on the master files. Reviewing reports for checks (cheques) over a
certain amount would not allow for the identification of any unauthorized, low-value checks
(cheques) or catch alterations to the actual checks (cheques) themselves.
..........................................................................................................
167. Which of the following BEST describes the objectives of following a standard system
development methodology?
A. To ensure that appropriate staffing is assigned and to provide a method of controlling
costs and schedules
B. To provide a method of controlling costs and schedules and to ensure communication
among users, IS auditors, management and IS personnel
C. To provide a method of controlling costs and schedules and an effective means of
auditing project development
D. To ensure communication among users, IS auditors, management and personnel, and to
ensure that appropriate staffing is assigned
The correct answer is:
B. To provide a method of controlling costs and schedules and to ensure communication
among users, IS auditors, management and IS personnel
Explanation:
A well-defined systems development methodology will facilitate effective management of the
project since costs and schedules will be monitored consistently. Also, design methodologies
require various approvals and sign-offs from different functional groups. This facilitates
adequate communications between these groups.
..........................................................................................................
168. Procedures to prevent scope creep should be baselined in which of the following
systems development life cycle (SDLC) phases?
A. Development
B. Implementation
C. Design
D. Feasibility
The correct answer is:
C. Design
Explanation:
To prevent uncontrolled entry of new requirements into a system being developed, a standard
process for authorization, approval, testing and documentation is necessary. Such procedures are
baselined in the design phase and modified in accordance with the needs of the organization. In
the development phase, the design specifications are used to program the system that will
support specific organizational processes. The implementation phase is too late and the
feasibility phase is too early for establishing scope creep procedures.
..........................................................................................................
169. An employee is responsible for updating daily the interest rates in a finance
application, including interest rate exceptions for preferred customers. Which of the
following is the BEST control to ensure that all rate exceptions are approved?
A. A supervisor must enter his/her password before a rate exception is validated.
B. Rates outside the normal range require prior management approval.
C. The system beeps an alarm when rate exceptions are entered.
D. All interest rates must be logged and verified every 30 days.
The correct answer is:
B. Rates outside the normal range require prior management approval.
Explanation:
Prior approval of management for rates outside the normal range would be a proper control.
Entering the password of a supervisor does not ensure authorization. A system alarm upon entry
of a rate exception is only a warning. Logging of exceptions is a detective control.
..........................................................................................................
170. Change control for business application systems being developed using prototyping
could be complicated by the:
A. iterative nature of prototyping.
B. rapid pace of modifications in requirements and design.
C. emphasis on reports and screens.
D. lack of integrated tools.
The correct answer is:
B. rapid pace of modifications in requirements and design.
Explanation:
Changes in requirements and design happen so quickly that they are seldom documented or
approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse
effect on change control.
..........................................................................................................
171. The purpose of a checksum on an amount field in an electronic data interchange (EDI)
communication of financial transactions is to ensure:
A. integrity.
B. authenticity.
C. authorization.
D. nonrepudiation.
The correct answer is:
A. integrity.
Explanation:
A checksum calculated on an amount field and included in the EDI communication can be used
to identify unauthorized modifications. Authenticity and authorization cannot be established by a
checksum alone and need other controls. Nonrepudiation can be ensured by using digital
signatures.
..........................................................................................................
172. Which of the following would help to ensure the portability of an application
connected to a database? The:
A. verification of database import and export procedures.
B. usage of a structured query language (SQL).
C. analysis of stored procedures/triggers.
D. synchronization of the entity-relation model with the database physical schema.
The correct answer is:
B. usage of a structured query language (SQL).
Explanation:
The use of SQL facilitates portability. Verification of import and export procedures with other
systems ensures better interfacing with other systems, analyzing stored procedures/triggers
ensures proper access/performance, and reviewing the design entity-relation model will be
helpful, but none of these contribute to the portability of an application connecting to a database.
..........................................................................................................
173. During which of the following phases in system development would user acceptance
test plans normally be prepared?
A. Feasibility study
B. Requirements definition
C. Implementation planning
D. Postimplementation review
The correct answer is:
B. Requirements definition
Explanation:
During requirements definition, the project team will be working with the users to define their
precise objectives and functional needs. At this time, the users should be working with the team
to consider and document how the system functionality can be tested to ensure it meets their
stated needs. The feasibility study is too early for such detailed user involvement, and the
implementation planning and postimplementation review phases are too late. The IS auditor
should know at what point user testing should be planned to ensure it is most effective and
efficient.
..........................................................................................................
174. Which of the following risks could result from inadequate software baselining?
A. Scope creep
B. Sign-off delays
C. Software integrity violations
D. Inadequate controls
The correct answer is:
A. Scope creep
Explanation:
A software baseline is the cut-off point in the design and development of a system beyond which
additional requirements or modifications to the design do not or cannot occur without
undergoing formal strict procedures for approval based on a business cost-benefit analysis.
Failure to adequately manage the requirements of a system through baselining can result in a
number of risks. Foremost among these risks is scope creep, the process through which
requirements change during development. Choices B, C and D may not always result, but choice
A is inevitable.
..........................................................................................................
Cisa Exam - Study Materials: Cisa Question Bank-3 >>>>> Download Now
ReplyDelete>>>>> Download Full
Cisa Exam - Study Materials: Cisa Question Bank-3 >>>>> Download LINK
>>>>> Download Now
Cisa Exam - Study Materials: Cisa Question Bank-3 >>>>> Download Full
>>>>> Download LINK oH